Malicious PDF — malware analysis report

Static analysis result for SHA-256 40f06514ac172ec0…

MALICIOUS

PDF

917.4 KB Created: 2000-04-02 18:27:16 Authoring application: Anarchists Cookbook v2000 - Microsoft Word (via Acrobat PDFWriter 4.0 for Windows)
MD5: dcdbedd803d5da9b6903cdc45f3b504e SHA-1: 48234075d2bac477c07d0bd8c8b526f4f49f323e SHA-256: 40f06514ac172ec05b859793c798c5bff0d7946023526f42a1bd4683dd8ce8d5
320 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains multiple high-severity heuristics indicating it is designed for social engineering. Specifically, it uses advance-fee scam lures, a visual download button, and a payment redirection lure, all aimed at deceiving the user. Crucially, a PDF launch action is configured to execute cmd.exe, which is a strong indicator of malicious intent. The embedded JavaScript, though obfuscated, likely contributes to the execution chain. The ClamAV detection further confirms its malicious nature.

Heuristics 11

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\p.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0935_000.js
35bb4a02c1abb2bb25a9524a3a41f6f23a69312bbcefc8dca40fbd883f1d55ae		 pdf-javascript-stream PDF /JS object 935 at offset 0xE50EC 50 bytes
stream_126_off0006ce8d.js
d1538b2482aa8da3d99ca2b0b77fb9cceb48cd8d2f01eb2024ad7352b1667429		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6CE8D 9151 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.