Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd22f280382d8344…

MALICIOUS

PDF

69.5 KB
MD5: 7de5e7ce194f3c04cb74f3126322a246 SHA-1: 4524ec5260b17e01e495ae25164bfa9ebf7dab6a SHA-256: fd22f280382d8344ec33801f55436d1f3e18f86dc772bb777f9a02c411ec5f8e
60 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information T1059 Command and Scripting Interpreter

The PDF document contains a Base64-encoded Windows executable payload. The heuristic indicates that this payload is likely decoded and executed using process injection APIs such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. This suggests the PDF is acting as a dropper for a malicious executable.

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.