Malicious Photoshop (PSD) / .PNG — malware analysis report

Static analysis result for SHA-256 57f822db6fd7f7fb…

MALICIOUS

Photoshop (PSD) / .PNG

2.86 MB First seen: 2026-03-24
MD5: 0bcd49e8a94f960ba99d4a51b390d69b SHA-1: 7a860d09837adae19f217288f798854f76c34977 SHA-256: 57f822db6fd7f7fb11d4678d858fc1aab469ca65e0e1880ef2276ffc650bb274
62 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The critical heuristic `IMAGE_TRAILING_OVERLAY_EXECUTABLE` indicates that a base64-encoded executable payload is appended to the end of the image file. This payload is likely intended to be decoded and executed by a loader component, which is a common technique for delivering second-stage malware. No document body or scripts were extracted, limiting further analysis of the specific payload's intent. The embedded URLs are confirmed benign and do not contribute to the maliciousness.

Heuristics 2

  • Loader-delimited encoded payload appended after image end critical IMAGE_TRAILING_OVERLAY_EXECUTABLE
    A valid image is followed by a large appended overlay that begins with a known stego-loader delimiter (INICIO) and is dominated by the base64 alphabet. This is the AutoIt/.NET image-stego-loader carrier shape: a lure image with an encoded PE appended after its logical end for a loader to decode and execute.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/photoshop/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.