Malicious PDF — malware analysis report

Static analysis result for SHA-256 27e30bfaa8a46e3b…

MALICIOUS

PDF

17.9 KB
MD5: e7abf1e753640c042a21adebf1398164 SHA-1: baab27261379de1b892078a287a9689521419d49 SHA-256: 27e30bfaa8a46e3baf0bafff02289733d68fef44029afce0dd396ef2c7beea76
222 Risk Score

Malware Insights

MITRE ATT&CK
T1555 Credentials from Password Stores T1059 Command and Scripting Interpreter T1204 User Execution T1027 Obfuscated Files or Information T1190 Exploit Public-Facing Application

This PDF file was detected as malicious by multiple heuristics, including critical alerts for an embedded PE payload. ClamAV identified the embedded executable as Win.Worm.Strationpac-2. The primary attack pattern involves delivering a secondary executable payload disguised within the PDF document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8617

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Win.Worm.Strationpac-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Worm.Strationpac-2
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
root_forensics_malware_20070117_postcard_2.postcard.exe
c3c0262197ede364f89762e919b3e47512db84525874aeda02f6a31061f664be		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3D2 18640 bytes
Detection
ClamAV: Win.Worm.Strationpac-2
Obfuscation or payload: likely
Carved artifact entropy is 7.68, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.