PDF malware analysis — malicious · df52f80b0ba59798

MALICIOUS

PDF

MD5: 85740ee77fd448be2a553381c39b03e3 SHA-1: d07956f62ab42cc9870ed3b203334019dd9d96c2 SHA-256: df52f80b0ba59798441c6419758e6225a88c025f1771895ae1cf53be9f3798bf

142 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The PDF file contains a malicious URI that attempts to execute the calc.exe command, leveraging a command interpreter path. This is further supported by a heuristic indicating visible LOLBin command execution instructions within the document. The ClamAV detection confirms the malicious nature of the file, likely acting as a dropper or exploit for arbitrary command execution.

Heuristics 5

ClamAV: Pdf.Malware.Agent-9985192-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Malware.Agent-9985192-0
PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
Visible LOLBin command execution instruction high SE_LOLBIN_RUN_COMMAND

Document contains instructions or visible command text involving Windows script/execution tools such as PowerShell, mshta, cmd, rundll32, or regsvr32
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2007-10/msg00093.html
- http://secdev.zoller.lu
- http://lists.grok.org.uk/full-disclosure-charter.html
- http://www.derkeiler.com/Mailing−Lists/Full−Disclosure/2007−10/msg00093.html
- http://secunia.com/

Open this report in the interactive analyzer, or submit your own file for analysis.