MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.003 Windows Command Shell
This PDF file is malformed and contains an OpenAction trigger that executes cmd.exe via a launch action. The ML classifier strongly indicates maliciousness. The embedded script payload, though truncated, suggests the intent is to download and execute a secondary payload, which is a common technique for malware delivery.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPHFile starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Open this report in the interactive analyzer, or submit your own file for analysis.