Malicious PDF — malware analysis report

Static analysis result for SHA-256 10bb21189de031c4…

MALICIOUS

PDF

1.7 KB
MD5: 393308302cd3c8f7defde17a40cb1551 SHA-1: 3ea2f5c0722a7e68f31428a4a9d31d150801ad29 SHA-256: 10bb21189de031c43b63747f2030d00031c06570787c38a0df6facb9ea1b0b2d
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains an OpenAction that triggers a launch action, which in turn executes cmd.exe. This command then attempts to download a file named 'faktura.exe' from a local network URL using PowerShell and save it as 'payload.exe'. The embedded script and heuristics strongly indicate the intent to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 7

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://192.168.1.107/faktura.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000017c.bin
1838e3b06a1789712530f7229448c15cd27990882b50f5a343b5824148e54dbc		 pdf-embedded-script PDF decompressed stream script payload at offset 0x17C 66 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.