Malicious PDF — malware analysis report

Static analysis result for SHA-256 01fc5b94795955f3…

MALICIOUS

PDF

43 B First seen: 2026-06-04
MD5: 9acfb1a6f5016df7095d6beb358032ab SHA-1: 6d018aa30c47485d855fba48c3383b6bc6d94d1d SHA-256: 01fc5b94795955f3073063745edd4ac40496355dd9b7781bff1e8d4834977254
70 Risk Score

Malware Insights

The WEBSHELL_PHP heuristic indicates the file is a PHP webshell, likely intended for command execution. The presence of '$_GET["desec"]' suggests it processes user input for command execution, a common webshell technique. While the file type is PDF, the heuristic strongly suggests PHP code was embedded or the file is misclassified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9768

Heuristics 1

  • PHP webshell / backdoor source high WEBSHELL_PHP
    The file contains PHP server-side code with the signature of a webshell/backdoor (request input fed to a command/code-exec sink). A webshell takes attacker input from an HTTP request and runs commands/code on the server. Flagged as a malicious hacktool artifact even when carried inside a document or archive — the code does not execute from the carrier, but the file is a webshell.