Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b104743dece0009…

MALICIOUS

PDF

589.6 KB Authoring application: Microsoft256040Word0402016
MD5: 9f1e65ada4ffb823f9fd3b7a5f166897 SHA-1: ec7dfefeedec884583aef4e6857d33d8f480e8fd SHA-256: 2b104743dece000958832b3a66f49d2ccaeba3a56325ef32cf615c51cf2250a1
60 Risk Score

Malware Insights

MITRE ATT&CK
T1105 Ingress Tool Transfer

The PDF file was identified as malicious due to a critical heuristic firing for a hidden ZIP payload containing executable DLLs. This indicates the PDF is likely acting as a container to deliver secondary malicious components. The presence of multiple DLLs within the archive suggests a multi-stage attack or a collection of tools.

Machine Learning

  • Nyx PDF Classifier clean score 0.0253

Heuristics 1

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
hidden_pdf_zip_off00000048.zip
626dcee43632b01f34a2ef935b9fe2abfac47208f89c27ffc95b081bd294e43a		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x48 601662 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.