Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a64d3b25bdc56f6…

MALICIOUS

PDF

408.3 KB
MD5: 160980ff309de352204463ed20dd9c85 SHA-1: 4a93c031df28e0eb1372dbdc11d851bf8a246e18 SHA-256: 2a64d3b25bdc56f64ac5761da15e05a687db06f46f5717273a42a8b8359cf9dd
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.003 Windows Command Shell T1204.002 Malicious Link

The PDF contains a high-severity heuristic indicating visible LOLBin command execution instructions, suggesting an attempt to run malicious code. Additionally, it includes both a direct external URI and a URL shortened link, both common methods for delivering malicious payloads or redirecting users to phishing sites. The presence of these elements strongly indicates a malicious intent to exploit user interaction with the document.

Heuristics 3

  • Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND
    Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
  • Clickable URI uses URL shortener medium PDF_URL_SHORTENER_URI
    PDF contains a clickable HTTP(S) action whose destination is a URL shortener. This hides the final landing page from static review and is common in phishing redirect PDFs.
  • External URI info PDF_URI
    PDF contains an external URL action

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00005fd9.bin
0829f137bc9525b69f60dc3b46392318f7f8cd086dbb97afce7b8d413040f007		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5FD9 39900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.