MALICIOUS
240
Risk Score
Malware Insights
MITRE ATT&CK
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1566.002 Spearphishing Attachment
The PDF file is malformed and contains an OpenAction trigger that launches cmd.exe. This indicates an attempt to execute arbitrary commands. The embedded script payload, when decompressed, reveals the use of 'cmd.exe "WScript.Shell"', confirming the execution of shell commands. This pattern is consistent with a malicious PDF designed to exploit vulnerabilities and download further payloads.
Heuristics 5
-
Launch action critical PDF_LAUNCHPDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
-
/Launch action target: cmd.exe critical PDF_LAUNCH_COMMANDPDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
-
Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPHFile starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
-
OpenAction trigger high PDF_OPENACTIONPDF has an /OpenAction that launches, submits, or opens an external target
-
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Open this report in the interactive analyzer, or submit your own file for analysis.