PDF malware analysis — malicious · c3ad0ed541ca83c7

MALICIOUS

PDF

3.8 KB

MD5: 1635521b971e927c1d55af99b321c250 SHA-1: e59fb834e691abbb61a4cf30ce656ec3c817c01e SHA-256: c3ad0ed541ca83c7c7f12689dc9a43b5c762b1c2233442d09137b1acac87493e

138 Risk Score

Malware Insights

MITRE ATT&CK

T1059.003 Windows Command Shell T1105 Ingress Tool Transfer T1566.001 Spearphishing Attachment

The PDF file contains a malicious URI that leverages cmd.exe to execute a series of commands. These commands first disable the Windows firewall and then use FTP to download a file named 'ms32.exe' from the IP address 203.121.69.116. Finally, the downloaded executable is launched. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to a PDF exploit.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ClamAV: Pdf.Exploit.Agent-34360 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-34360
PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
External URI low PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.