Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cb9671d54e85c9b…

MALICIOUS

PDF

1.60 MB Created: 2023-06-16 10:03:05 +02:00 Authoring application: TeX (via MiKTeX pdfTeX-1.40.25) First seen: 2026-03-07
MD5: 91f1b9637f551921cc6d7f966c43ef5a SHA-1: ea928e06b50fda509a760e5a74c3e652e569a181 SHA-256: 2cb9671d54e85c9b732c29cfead3ffdf8aedac8eda8ab58813e97a148e05edd6
204 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious Link

This PDF document contains embedded JavaScript and a suspicious script payload. Heuristics indicate it's designed to lure users into executing commands via copy-pasting into a shell, a common technique for downloading and executing further malicious content. The presence of a high-entropy carved artifact further supports this malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8338

Heuristics 8

  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Remote GoTo action info PDF_GOTO_REMOTE
    PDF has GoToR/GoToE actions that reference sibling document files — typical of multi-part document bundles
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://autotools.info/
    • https://github.com/R-macos/recipes/tree/master/stubs/pkgconfig-darwin
    • https://www.openmp.org/
    • https://www.openmp.org/resources/openmp-compilers-tools/
    • https://isocpp.org/std/standing-documents/sd-6-sg10-feature-test-recommendations
    • https://www.opencsw.org/
    • http://ftp.astron.com/pub/file/
    • http://binaries.html-tidy.org/
    • https://validator.nu/
    • https://fortranwiki.org/fortran/show/Modernizing+Old+Fortran
    • https://github.com/llvm/llvm-project/releases
    • https://github.com/mstorsjo/llvm-mingw
    • https://www.dependencywalker.com/
    • https://www.rforge.net
    • https://github.com/google/sanitizers
    • https://github.com/llvm/llvm-project/blob/main/compiler-rt/lib/asan/scripts/asan_symbolize.py
    • https://github.com/google/sanitizers/wiki/AddressSanitizerFlags
    • https://github.com/google/sanitizers/wiki/AddressSanitizerAndDebugger
    • https://github.com/google/sanitizers/wiki/AddressSanitizerUseAfterScope
    • https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer
    • https://blog.regehr.org/archives/213
    • https://github.com/google/sanitizers/wiki#threadsanitizer
    • https://drmemory.org/
    • https://www.rforge.net/Rserve/
    • https://www.autstat.com/
    • https://www.gnu
    • http://www.another.url
    • https://pkgname.bugtracker.url
    • https://CRAN.R-project
    • https://sourceforge
    • https://github.com/R-macos/recipes/tree/
    • https://isocpp.org/std/standing-documents/
    • https://openjdk
    • https://gcc.gnu
    • https://www.stats
    • https://developer
    • https://oprofile
    • https://github.com/google/
    • https://github.com/
    • https://developers.redhat
    • https://CRAN.R-project.org/banner.shtml#submitting
    • https://www.gnu.org/prep/standards/standards.html#Documentation
    • https://www.debian.org/doc/debian-policy/ch-controlfields.html
    • https://CRAN.R-project.org/package=knitr
    • https://CRAN.R-project.org/package=rmarkdown
    • https://CRAN.R-project.org/package=formatR
    • https://www.acm.org/publications/class-2012
    • https://www.aeaweb.org/econlit/jelCodes.php
    • https://mathscinet.ams.org/msc/msc2010.html
    • https://www.rfc-editor.org/rfc/rfc5646
    +155 more URL(s)

Extracted artifacts 22

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0015b762.bin
ef63862e0266e4469e7f7c5baf3150b11975a951d742269eeccf3879784d87d6		 pdf-embedded-script PDF decompressed stream script payload at offset 0x15B762 1675388 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 long base64-like blob(s). Carved macro source contains an auto-exec entry point and execution/download terms.
font_00_type1_off000ff153.bin
6581508edc864ccdfc83fc08e99d07ec408abecca00a7f3d98ad36a2291a916d		 pdf-font-stream PDF embedded font (type1) at offset 0xFF153 19888 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
font_01_type1_off00103d3f.bin
5531fb4b59d692cddf249cbbbdb45179abe03c29336d9d7eea46e59efa76a657		 pdf-font-stream PDF embedded font (type1) at offset 0x103D3F 7315 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
font_02_type1_off00105980.bin
628fdddc70727b498ed2eff7156eab66710f6d1103b8e9a28d8ea3c0bd447562		 pdf-font-stream PDF embedded font (type1) at offset 0x105980 12095 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.
font_03_type1_off00108800.bin
712925c36074ac96f3f2b6f4b1267e39a63d48829199f158165bb931752a4a76		 pdf-font-stream PDF embedded font (type1) at offset 0x108800 7286 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_04_type1_off0010a419.bin
1c9e30e13403db73b5b08528909de042a68396c4d0d1b66e8028849382b50bad		 pdf-font-stream PDF embedded font (type1) at offset 0x10A419 8445 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.87, consistent with packed or encrypted content.
font_05_type1_off0010c4b5.bin
0a23c0e973e1eda96a0885f6243a50af4e27fb2b9bec2b4f6272ddf83a92c239		 pdf-font-stream PDF embedded font (type1) at offset 0x10C4B5 7281 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_06_type1_off0010e0d1.bin
12b7cda6945a3aaf10c8813e33524da3af7c0ad3b0455c5c54c1e077336f1d6a		 pdf-font-stream PDF embedded font (type1) at offset 0x10E0D1 27877 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_07_type1_off00114b95.bin
960be4694dbd9ab16fd25dbd63ecfb662e45d78ec29b2c024220143976386af0		 pdf-font-stream PDF embedded font (type1) at offset 0x114B95 9737 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
font_08_type1_off00117124.bin
828f9c2a3facced93ae63253b2ebb709dd6c4661a4d75d0128ec11fe2f02590b		 pdf-font-stream PDF embedded font (type1) at offset 0x117124 9115 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.88, consistent with packed or encrypted content.
font_09_type1_off0011944c.bin
392de88f8a11a9916b17612b711c6953600e6c12c1dc208e5e23b4a6f3e332e1		 pdf-font-stream PDF embedded font (type1) at offset 0x11944C 24579 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_10_type1_off0011f25b.bin
f306ee6c23776685e357d8e27dc042ed6c340b3591a4b16a1107e5d5b0bcfa3f		 pdf-font-stream PDF embedded font (type1) at offset 0x11F25B 16689 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.92, consistent with packed or encrypted content.
font_11_type1_off0012323c.bin
2481ed45be3cbced3cd1423eae5f3ed1314b9359efb52aad29cbd08bbff42fbc		 pdf-font-stream PDF embedded font (type1) at offset 0x12323C 16922 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_12_type1_off001272bd.bin
f5d021807b0e2fcd09ffb0cb911e472b744b975d416c8a26468f3c6fd2583413		 pdf-font-stream PDF embedded font (type1) at offset 0x1272BD 7459 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
font_13_type1_off00128f85.bin
b867e2e97b4e1f638d503b31831baa2b9dc4cb927b409f8a4bfc7ad6dfa76221		 pdf-font-stream PDF embedded font (type1) at offset 0x128F85 9037 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.
font_14_type1_off0012b27c.bin
7ab9752feff6ffb06a9ec5a32ee084cb540f97ca9970d9fdcae3afd39931b485		 pdf-font-stream PDF embedded font (type1) at offset 0x12B27C 7275 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.84, consistent with packed or encrypted content.
font_15_type1_off0012ce99.bin
4e387994afc758f8ef0a14b2b0bfe0926ab807d289f7c79f81c2bc5622bdcb93		 pdf-font-stream PDF embedded font (type1) at offset 0x12CE99 18475 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.93, consistent with packed or encrypted content.
font_16_type1_off00131572.bin
dcdfe5fa8202583e79be803413ed422ff6a62583a2e78cb027c1dc95ed1273d7		 pdf-font-stream PDF embedded font (type1) at offset 0x131572 11935 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_17_type1_off00134345.bin
b028b0ec8e777b4ff7a626499ca9b97259af1c116042499654228d5cb863c1c9		 pdf-font-stream PDF embedded font (type1) at offset 0x134345 24344 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.91, consistent with packed or encrypted content.
font_18_type1_off0013a051.bin
73d30c0b5473324093344475a780fbdd324ee96fc0e14237ff162ad675320546		 pdf-font-stream PDF embedded font (type1) at offset 0x13A051 7835 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.75, consistent with packed or encrypted content.
font_19_type1_off0013bdb7.bin
93f3c18e8359efa775807ad9c540b104463a2d075231e17d93da2d5ac2b374b8		 pdf-font-stream PDF embedded font (type1) at offset 0x13BDB7 21969 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.90, consistent with packed or encrypted content.
font_20_type1_off00141186.bin
e2b046f30dd19e789fcee69c3a85d9470b6fbe42688e587f03e73aa317b4f2d3		 pdf-font-stream PDF embedded font (type1) at offset 0x141186 2614 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.