MALICIOUS
190
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
The PDF file contains a critical launch action targeting cmd.exe, indicating an attempt to execute arbitrary commands. The embedded script payload and the ML classifier further confirm malicious intent. The primary IOC is the embedded URL, which likely serves as a distribution point for a second-stage payload. The execution of cmd.exe suggests a downloader or initial access mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.9995
Heuristics 4
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters ' /c echo Set swchndnknqktsfqenigd = CreateObject\("MSXML2.ServerXMLHTTP"\' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xin.w2c.ru/kit/?m=1
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_000002d5.bina6d5d37a9fca0b60fd7b75eadc1dc34283d7415d66420af5b546af0d13658280 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x2D5 | 705 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.