Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5d3f9529cb83470…

MALICIOUS

PDF

69.5 KB
MD5: 2a5d46410eecfd08b9dc845bf875e377 SHA-1: 2c00fa56df072347075ed4c969448902291aa6bc SHA-256: e5d3f9529cb834708788944bb18ca3ec124484f3cf80d254e1099d20329c95e3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1055.012 Process Injection: Process Hollowing

The PDF document contains a Base64-encoded Windows executable payload, identified by the PDF_BASE64_PE_PAYLOAD heuristic. This payload is likely designed to be decoded and executed using process injection techniques, as indicated by the presence of APIs like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The ML classifier also strongly suggests maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.