Malicious PDF — malware analysis report

Static analysis result for SHA-256 69ec0d2e039cd350…

MALICIOUS

PDF

67.7 KB Created: 2010-10-23 04:01:59 -07:00 First seen: 2026-05-09
MD5: dec8f536cf44f7462fc2db9b896d1f29 SHA-1: 6a64cf665eb382bdd7d4174fbf321c4e909b4951 SHA-256: 69ec0d2e039cd35063da5da444096685c0975a8f897778efadfe83e8b606f7ca
72 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains embedded Flash content (module.swf), indicated by PDF_RICHMEDIA and EXTRACTED_FILE_STATIC_TRIAGE heuristics. This embedded content is a common vector for exploiting vulnerabilities to execute arbitrary code. The presence of embedded files and rich media suggests an attempt to deliver a malicious payload, likely via spearphishing.

Machine Learning

  • Nyx PDF Classifier clean score 0.2070

Heuristics 5

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text
    • http://adobe.com/AS3/2006/builtinIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
module.swf pdf-embedded-file PDF EmbeddedFile object 36 at offset 0x5FB3 42326 bytes
SHA-256: 4980e87931713fe242cec4b681ebe43ef1d579ba76310ff1218215d27edfefa8
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=SWF; declared_or_context_type=PDF; filename=module.swf; kind=pdf-embedded-file
objstm_0047_00.bin pdf-objstm-decoded PDF /ObjStm 47 0 obj (inflated) 455 bytes
SHA-256: 7e3c8243f7037d7f582bb206c7a2be0cc5b2138b39cf9ee7622dd221f1e5f50e

Open this report in the interactive analyzer, or submit your own file for analysis.