Malicious PDF — malware analysis report

Static analysis result for SHA-256 c80a0281a12e69cc…

MALICIOUS

PDF

1.3 KB
MD5: d060a74f59857fdd13e342659fd724ec SHA-1: 2c875b5eebdcb01148e279dbe386577222196ebe SHA-256: c80a0281a12e69cc72bc2d0b75a815d3be4856041bd56e9648c9ee1834cb4be5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF contains a launch action that executes 'cmd.exe'. This command is designed to download a file named 'calc.exe' from the IP address '172.16.122.138' using TFTP and then execute it. This indicates a clear intent to download and run a second-stage payload.

Heuristics 2

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).

Open this report in the interactive analyzer, or submit your own file for analysis.