PDF malware analysis — malicious · 2b4b58c6438a278a

MALICIOUS

PDF

785 B

MD5: 3d382c31af6fb1f0ae191e4c5fb3682f SHA-1: beb2b3817eefb3752793dccb474b73b6dff32831 SHA-256: 2b4b58c6438a278aa4e87f3c57cd58e38e420b9fd835d0eb249ec13b49e63cf9

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF contains a launch action that executes cmd.exe. This command attempts to construct and save a VBScript payload to disk, likely for further execution. The embedded URL is likely used to download the malicious script. The script itself is obfuscated, but the intent to download and save a payload is clear.

Heuristics 4

Launch action high PDF_LAUNCH

PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
/Launch action target: cmd high PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM"'.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://sezlsez.co.cc/x/img.php?d=1

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_00000067.bin` `ad55c8e83a5896a04b2012c676820daeab2b84cc539e444c6366e79f55a571c5`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x67	63 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.