PDF malware analysis — malicious · 9d5b3e32097ef1dc

MALICIOUS

PDF

MD5: a4d2fa3b7bb4be9de196be44b4d88445 SHA-1: 1a0a9098068733ac0c6fda4d09c5644885a2df16 SHA-256: 9d5b3e32097ef1dc6b396ab77611b3ae6bd2f082c9d48044380959051c7f69d3

82 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF document contains a malicious URI that attempts to exploit a vulnerability in PDF readers, specifically targeting command execution. The heuristic 'PDF_DANGEROUS_URI_COMMAND' and the presence of 'calc.exe' in the URI strongly suggest an attempt to run arbitrary commands. The document body further contextualizes this by referencing URI handling issues. No scripts were extracted from this sample, limiting further analysis of the execution chain.

Heuristics 4

PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-10/msg00093.html
- http://secdev.zoller.lu
- http://lists.grok.org.uk/full-disclosure-charter.html
- http://www.derkeiler.com/Mailing−Lists/Full−Disclosure/2007−10/msg00093.html
- http://secunia.com/

Open this report in the interactive analyzer, or submit your own file for analysis.