Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c06d1ce51081683…

MALICIOUS

PDF

131.1 KB First seen: 2026-05-10
MD5: 3e0f0a08ca5335fd0227381e2fb0deb6 SHA-1: b70461d0b79f9d743fd5d83af085e379906d57eb SHA-256: 3c06d1ce51081683601ad5327206c0daf216af043f745517430b8a08e2c9ea08
82 Risk Score

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2963

Heuristics 3

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0 In PDF document text
    • http://www.microsoft.com/exportingIn PDF document text
    • http://www.sysinternals.comIn PDF document text
    • https://www.verisign.com/rpaIn PDF document text
    • https://www.verisign.com/rpa01In PDF document text
    • http://crl.verisign.com/pca3.crl0In PDF document text
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0DIn PDF document text
    • https://www.verisign.com/rpa0In PDF document text
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/CSPCA.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/CSPCA.crt0In PDF document text
    • http://crl.microsoft.com/pki/crl/products/tspca.crl0HIn PDF document text
    • http://www.microsoft.com/pki/certs/tspca.crt0In PDF document text
    • http://technet.microsoft.com/sysinternalsIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00007d13.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7D13 198504 bytes
SHA-256: 5ad240fbbaf7bd0484a90a89e2f1190fc377e5af0f218b313c0d3ad756cb7327
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=stream_006_off00007d13.bin; kind=decompressed-pdf-stream
icc_00_off000029fb.icc pdf-icc-profile PDF ICC profile at offset 0x29FB 1320 bytes
SHA-256: eb03db58ff1f226c83103a11f30b5520f9b68a7ced67daa78992723e3ea0411d