Malicious PDF — malware analysis report

Static analysis result for SHA-256 aeffd46b2b0bb59f…

MALICIOUS

PDF

160.4 KB
MD5: 782a4c2f75554d7d11f14c1fac1ea49c SHA-1: 4f9de121bbb399c7a0ce9d78970f7aff0d681dd9 SHA-256: aeffd46b2b0bb59f5895399e86ffe63a0a6b6a4b4f4ec822489b3ce029b23b1a
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF file contains a launch action that targets cmd.exe, indicating an attempt to execute commands. The embedded script payload, when decompressed, reveals a command that constructs a VBScript. This script likely aims to download and execute a second-stage payload, a common technique for malware delivery. The presence of a launch action and embedded script strongly suggests a malicious intent to compromise the user's system.

Heuristics 4

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/C echo Set fso=CreateObject\("Scripting.FileSystemObject"\' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000137.bin
b289cef1c6d42db57796e339d06e228f2bab7a9d886548cdd581dd767028015d		 pdf-embedded-script PDF decompressed stream script payload at offset 0x137 552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.