PDF malware analysis — malicious · 5b1826d01c72e908

MALICIOUS

PDF

24.5 KB Created: 2010-05-19 17:31:03 Authoring application: PScript5.dll Version 5.2.2 (via GPL Ghostscript 8.15)

MD5: c3a6ac9caf59b8903ff931209480522b SHA-1: ae6af4a79b6a6af4fb9abd8f0344415ca05a8604 SHA-256: 5b1826d01c72e9080520b24a5a3213ad661f090dc1e9c21dbb7d51e94cf01a87

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file was identified as malicious due to the presence of an embedded Windows executable payload within a stream. This indicates the document is likely a delivery mechanism for malware. The embedded artifact, stream_002_off00001303.bin, is the primary indicator of this malicious functionality.

Machine Learning

Nyx PDF Classifier clean score 0.0003

Heuristics 2

Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off00001303.bin` `117b93e448659570c14b057e1c827144189bc38c4ed6dd25aa6b60b57c562538`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1303	22016 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.76, consistent with packed or encrypted content.
`font_00_sfnt_off0000059c.bin` `0204e736094073b5517e3834a972e99891f6785049f1a183850c81db190dfd08`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x59C	5008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.