Malicious PDF — malware analysis report

Static analysis result for SHA-256 e1b196d45c591e3a…

MALICIOUS

PDF

133.5 KB Created: 2007-03-14 18:51:51 -04:00 Authoring application: Firefox (via Mac OS X 10.4.9 Quartz PDFContext)
MD5: 0ea7ee5e1fdb530cb5432ec935ee1c3f SHA-1: f8a46bab50a0bff77eadc50a94809ef1855d9a8b SHA-256: e1b196d45c591e3a3a3cc3739d2e6bef915c2216eb0996aab9409663f9e433b1
248 Risk Score

Malware Insights

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File

The PDF contains a critical heuristic firing for a launch action targeting 'cmd.exe', indicating an attempt to execute a command-line process. Additionally, it embeds a Windows executable payload. This strongly suggests the document is designed to initiate a malicious process, likely for downloading and executing further malware. The ClamAV detection further supports its malicious nature.

Heuristics 5

  • Launch action critical PDF_LAUNCH
    PDF contains a /Launch action whose target is an executable, URL, or UNC path — can start an external application
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • /Launch action target: cmd.exe critical PDF_LAUNCH_COMMAND
    PDF /Launch action specifies an executable target — references a known-dangerous executable (cmd, PowerShell, etc.).
  • ClamAV: Pdf.Tool.Agent-1388586 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Tool.Agent-1388586
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off000086ab.bin
5ad240fbbaf7bd0484a90a89e2f1190fc377e5af0f218b313c0d3ad756cb7327		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x86AB 198504 bytes
icc_00_off000029fb.icc
eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d		 pdf-icc-profile PDF ICC profile at offset 0x29FB 1320 bytes
font_00_sfnt_off00004669.bin
a68f517baa90c8f001a07e1fbbbc2c9132b68edf8899c6c6467cce85420a90a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4669 21572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.