PDF malware analysis — malicious · 4eec2381404cfcd8

MALICIOUS

PDF

2.2 KB

MD5: 2eab9bef541339d45f8c79e4e6f0bfdc SHA-1: dac59d26ccda5a39368a401abe013bcb432ff333 SHA-256: 4eec2381404cfcd8f81c3a5122b8a7ce3ba19953d315bd2c1d081b9b50d83cfd

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF file contains a launch action that executes cmd.exe. The embedded script payload and the document body indicate that this command is used to download and execute a second-stage payload from the URL http://www.directvirus.com/sw3243223.exe. The heuristics confirm the presence of a launch action targeting cmd.exe and an embedded script payload.

Heuristics 4

/Launch action target: "cmd.exe" critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
Launch action high PDF_LAUNCH

PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.directvirus.com/sw3243223.exe

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_00000253.bin` `3e96c179e8a209e2ddd4efec25cd623b3542c85487bedefe761061bb2f809830`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x253	318 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.