Malicious PDF — malware analysis report

Static analysis result for SHA-256 6648302d497ee236…

MALICIOUS

PDF

870.3 KB Authoring application: Microsoft256040Word0402016
MD5: e0b6767ec3528bcab544e48cfa5cbf2a SHA-1: e8ffcfa76b9cd4445664824ca2091684e5b1e3b6 SHA-256: 6648302d497ee2364d3b10d0bebd1c30cedf649117a682754aebd35761a5d2ff
60 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file was identified as malicious due to a critical heuristic firing for a hidden ZIP payload. This payload contains several DLL files, indicating the PDF is likely acting as a dropper for a more complex malware infection. The presence of these DLLs suggests the attacker intends to deliver and execute malicious code.

Machine Learning

  • Nyx PDF Classifier clean score 0.0478

Heuristics 1

  • Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOAD
    PDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
hidden_pdf_zip_off00000048.zip
798a7efb32506ee40951355bb354c618d5d58fc77bc22fef23a769fc5caef04e		 pdf-hidden-zip PDF raw stream ZIP payload at offset 0x48 888881 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.