MALICIOUS
406
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious File
T1059.003 Windows Command Shell
T1105 Ingress Tool Transfer
The PDF contains a critical PDF_LAUNCH heuristic firing, indicating an attempt to execute a command-line tool, specifically cmd.exe. This is further supported by a critical PDF_EMBEDDED_PE_PAYLOAD firing, suggesting an embedded executable. The presence of a ClamAV detection for 'Pdf.Tool.Agent-1388586' and on an extracted artifact ('Win.Trojan.Swrort-5710536-0') confirms the malicious nature. The embedded URL 'https://shorturl.at/itRY5' is likely used to download or host the secondary payload.
Heuristics 12
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOADPDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target with parameters '/Q /C %HOMEDRIVE%&cd %HOMEPATH%&(if exist "Desktop\\TEST.pdf" (cd "Desktop"' — references a known-dangerous executable (cmd, PowerShell, etc.).
-
ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Tool.Agent-1388586
-
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAVClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
-
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASIONPDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
-
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMANDDocument contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ngrok.com/docs/getting-started/
- https://tinyurl.com/bdpt5bpa
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- https://shorturl.at/itRY5
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0018_000.jse988d501b3746cd0283465f607966eaea5929a780c0f7af214772ef47f632b6c |
pdf-javascript-stream | PDF /JS object 18 at offset 0x20FF2 | 53 bytes |
stream_004_off000162c5.bin8041c9288f93b5dc949974b8a217e38702ad6ebb90bd6151d6e68242a2955cb1 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x162C5 | 73802 bytes |
|
Detection
ClamAV:
Win.Trojan.Swrort-5710536-0
Obfuscation or payload:
unlikely
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.