MALICIOUS
270
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.003 Windows Command Shell
The PDF file is malformed and contains an OpenAction that triggers a launch action. This launch action targets cmd.exe, indicating an attempt to execute commands on the system. The presence of an embedded script payload further suggests the file is designed to download and execute additional malicious content.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPHFile starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Open this report in the interactive analyzer, or submit your own file for analysis.