Malicious PDF — malware analysis report

Static analysis result for SHA-256 a7d9479b9fd25841…

MALICIOUS

PDF

670.0 KB Created: 2011-07-25 12:07:48 Authoring application: Microsoft® Office Word 2007
MD5: 29c4804b23e416ae2676bcf067b6b7e9 SHA-1: 7331d64055a777b322f76ef1d0b4abf3b635dd22 SHA-256: a7d9479b9fd25841fc90ec11d68618984d8cd2d8705ca671cc2bedd57469d818
254 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains a launch action that targets cmd.exe, indicating an attempt to execute commands. This is further supported by the presence of an embedded script payload and heuristics flagging PDF launch actions and parser evasion techniques. The script likely downloads and executes a second-stage payload from one of the embedded URLs. The document body contains garbled text and embedded URLs, but no clear user-facing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9679

Heuristics 7

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION
    PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shvets-artemik7709.narod2.ru/g_Pikal/rasp/1/
    • http://kartog.ucoz.ru/index/106_pikaljovo_strugi/0-16
    • http://shvets-artemik7709.narod2.ru/g_Pikal/rasp/2/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00004b91.bin
e7040abd04aac677fa3c3aa7266ae337b716dd14f31d71968918836eb0012dc6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4B91 178868 bytes
embedded_pdf_script_00066529.bin
e74f2769c952b0610baa23225e0d51dbe5ff717a9e13f672c38f01a03a023f20		 pdf-embedded-script PDF decompressed stream script payload at offset 0x66529 686053 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.