Malicious PDF — malware analysis report

Static analysis result for SHA-256 36a1b9e9fbb54342…

MALICIOUS

PDF

69.6 KB Created: 2010-07-27 15:35:17 +07:00
MD5: 26b6501e00c0d0c82c18079cb6ff13d4 SHA-1: 8ef02fc14cd3c03485fec78cb101e607d72ebc3b SHA-256: 36a1b9e9fbb5434201a6392af806c786c5ab83a4d918637d8d8f8da397fccdd3
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF file contains critical heuristics indicating a launch action targeting cmd.exe, suggesting an attempt to execute arbitrary commands. An embedded file and script payload were also detected, further supporting the malicious nature of the document. The primary attack vector appears to be exploiting a PDF vulnerability to initiate command execution.

Heuristics 4

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0009.bin
3b283fedb486aa1cf6e2f0df630be8c383214a41f87464e2700ef07542b3c32b		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x4A2 114750 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.