Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f63bd153d5e4cae…

MALICIOUS

PDF

679 B
MD5: bb6bf496445da65fe79611368b39fcf8 SHA-1: bb7a5b9c0fc1a540d8b94d0a986df60a43710337 SHA-256: 0f63bd153d5e4caec5f2ade4b0521920e1101e135880918d5d33859b26ed5862
190 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains a launch action that attempts to execute the Notepad executable. This is a common technique used to trick users into believing they are opening a legitimate document, while instead a malicious process is initiated. The ML classifier and ClamAV detection further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • /Launch action target: /C/Windows/System32/notepad.exe high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target.

Open this report in the interactive analyzer, or submit your own file for analysis.