PDF malware analysis — malicious · 922046a8c9a704d5

MALICIOUS

PDF

4.7 KB Created: 2001-01-01 01:01:01 +01:00

MD5: 0811cce0ffdfd059883e60484895c174 SHA-1: ab1a90ac531a5390fdbbf61a5d7bb318aeefe6f9 SHA-256: 922046a8c9a704d5a360f7e63794583e48bbb9175a943b905fd18d4cea23d8d8

140 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF file contains a malicious URI that leverages command injection to execute arbitrary commands. Specifically, it attempts to disable the firewall using 'netsh', download a file named 'system.com' from '81.95.146.181' via FTP, and then execute it. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as Pdf.Exploit.Agent-34360.

Machine Learning

Nyx PDF Classifier malicious score 0.9616

Heuristics 4

ClamAV: Pdf.Exploit.Agent-34360 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-34360
PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
External URI low PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Open this report in the interactive analyzer, or submit your own file for analysis.