PDF malware analysis — malicious · 215ab1807ca75b54

MALICIOUS

PDF

155.1 KB Created: 98^%$#$%^&*()(*&^%$#%^&*)((*^%$#E$^%&()(*&^%$%&*)((*^&%$#^&()(*&^% Authoring application: 98^%$#$%^&*()(*&^%$#%^&*)((*^%$#E$^%&()(*&^%$%&*)((*^&%$#^&()(*&^%

MD5: 4093e0cb372c12023779b5d4d72a68cb SHA-1: 93fb67506344a85e8a70f0f059b2a7c48d8cd686 SHA-256: 215ab1807ca75b54d9c89688317fa23fc819670823d79e064bae72a86752a128

366 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF contains embedded JavaScript and a critical PDF_LAUNCH action targeting cmd.exe, indicating an attempt to execute a payload. A critical heuristic also identified an embedded PE executable payload. ClamAV detections confirm the malicious nature of both the PDF and the extracted artifact. The document body's filename suggests a lure related to a delivery notice, aligning with common social engineering tactics.

Heuristics 11

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
ClamAV: Win.Malware.Spesr-9855962-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Malware.Spesr-9855962-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.pdfill.com

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0018_000.js` `be6feec731e59e89e26acb9325beeeae489c48680ed819e751767f839c4e7dd9`	pdf-javascript-stream	PDF /JS object 18 at offset 0x24CD9	89 bytes
`javascript_obj0001_001.js` `026c2aae1e79f084d74bb98f90af8989fd8a7f1317831a757737c0f016edd73b`	pdf-javascript-stream	PDF /JS object 1 at offset 0x11	16720 bytes
`stream_001_off00000bfd.bin` `8ca39ffb221a74de601722bf6caab7e9eb9a00ce37acd3c497573440a1ed9aeb`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xBFD	282624 bytes
Detection ClamAV: Win.Malware.Spesr-9855962-0 Obfuscation or payload: unlikely
`font_00_sfnt_off000253d8.bin` `ebbca3761103bd3092a3fc1cc3eff548a643e1fa1753c91b0a57542f26428f74`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x253D8	5688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.