Malicious PDF — malware analysis report

Static analysis result for SHA-256 885547accfc47934…

MALICIOUS

PDF

124.9 KB
MD5: ffcc7fc63f48432e47498e06fec03a2e SHA-1: f7fee02484484f41a18c322513315c8580f0183b SHA-256: 885547accfc47934f0a2cfa0f82c2ea6597958f4d7694da25b91d0e6ba98e358
252 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The PDF contains a launch action that executes cmd.exe, which in turn is used to launch an embedded PE payload. This indicates an attempt to execute a secondary malicious file, likely for further compromise. The ML classifier strongly supports the malicious nature of this PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9866

Heuristics 5

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo m=".":n="attachment.pdf" :y="c:\\windows\\system32\\ActiveX.exe":Set t=CreateObject("Adodb"+m+"Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • PDF JavaScript WScript downloader high PDF_JS_WSCRIPT_DOWNLOADER
    Decoded PDF JavaScript reconstructs a Windows Script Host COM downloader using WScript.CreateObject plus XMLHTTP/ADODB.Stream style download, write, and run behavior. This is commodity payload delivery rather than a specific PDF parser CVE trigger.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_00011b75.exe
71a27c6a66888914c362c5bb938bb0eba088152d5d125154d74223679f17f87f		 embedded-pe PDF decompressed stream PE payload at offset 0x11B75 55365 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.