Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a2aea8264a903d1…

MALICIOUS

PDF

180.4 KB Created: 2007-01-03 08:15:07 UTC Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 5.0.5 (Windows))
MD5: 1e753abe883427abe9531fafed191597 SHA-1: a91c38371956d7c50c609707fedc3063e6611d95 SHA-256: 5a2aea8264a903d15ed674e9f18a07601305be7f5f2824a14c496a0147fd29b4
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was identified as malicious due to the presence of an embedded Windows executable payload. This strongly suggests the file is intended to be delivered as an attachment in a phishing attempt, leading to the execution of the embedded malware. The specific exploit used to deliver the payload is unclear from the static analysis, but the presence of an executable payload is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier clean score 0.0544

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Pdf.Exploit.Agent-19106 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-19106
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://www.iec.ch

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
usbprns.exe
e8fe0e657ed51d6e7964b666ef047447036fbb2de6a9d67a4b3421a313bc23a8		 pdf-embedded-file PDF EmbeddedFile object 55 at offset 0x24B47 32768 bytes
pickup_mp.prn
592aa90aaa88a2f17cfbfc376e4ac694b0d213c8f1708e6e4ae2a89aa2e3f925		 pdf-embedded-file PDF EmbeddedFile object 72 at offset 0x28D73 60 bytes
pickup_tray1.prn
2fc956689f6c8c14a1e78a6f98998e72fdf64daf7ebd5290835a1a9ae06a461c		 pdf-embedded-file PDF EmbeddedFile object 84 at offset 0x28FF9 63 bytes
pickup_tray2.prn
0ff08fd0f0434a72c841ce4f24df35410572723fd635fefae5ab72312e9202ff		 pdf-embedded-file PDF EmbeddedFile object 96 at offset 0x29287 63 bytes
stream_016_off00017e03.bin
da7ebc3e96984898f74e2689c7edfbb541d0891051e6f36ba847569dce9291ad		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17E03 44648 bytes
icc_00_off00023e54.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x23E54 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.