PDF malware analysis — malicious · 613aafeb0a0a2831

MALICIOUS

PDF

4.7 KB Created: 2002-02-02 02:02:02 +02:00

MD5: 356caee3eff70746d7dceec345123f21 SHA-1: 2403cb3c827b9504f7717bbafdcb5e89ed847924 SHA-256: 613aafeb0a0a2831496205582122dbce0d54621513b053945298fb60cca990ef

140 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.003 Windows Command Shell

The PDF sample contains a malicious URI that attempts to execute a command interpreter. This command interpreter is configured to download a file named 'system.com' from the IP address 81.95.146.181 via FTP and then execute it. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for arbitrary code execution.

Machine Learning

Nyx PDF Classifier malicious score 0.9616

Heuristics 4

ClamAV: Pdf.Exploit.Agent-34360 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-34360
PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
External URI low PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Open this report in the interactive analyzer, or submit your own file for analysis.