PDF malware analysis — malicious · e89284806fb8bd68

MALICIOUS

PDF

3.8 KB

MD5: 8ea902b3b52e022ad5496be996aa2065 SHA-1: b3d60aa7d52d93f385a6d1786417606f7c094571 SHA-256: e89284806fb8bd68ad72f59fd93ed36dbf64558abc8606a702cad2240a2936dc

108 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.003 Windows Command Shell

The critical ClamAV heuristic identified the file as Win.Trojan.Exploit-79. The PDF_DANGEROUS_URI_COMMAND heuristic fired on a URI that attempts to execute cmd.exe with a series of commands. These commands appear to download a file named 'ldr.exe' from the IP address 81.95.146.130 via FTP and then execute it. This indicates the PDF is a dropper for a secondary payload.

Heuristics 4

ClamAV: Win.Trojan.Exploit-79 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Exploit-79
PDF URI references command interpreter path high PDF_DANGEROUS_URI_COMMAND

PDF contains a /URI action whose target uses a mailto/path traversal shape and references a command interpreter or scripting host. This is not a normal web link and matches legacy PDF command execution/dropper lures.
External URI low PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/

Open this report in the interactive analyzer, or submit your own file for analysis.