Malicious PDF — malware analysis report

Static analysis result for SHA-256 6dc12cf812713899…

MALICIOUS

PDF

68.0 KB First seen: 2026-06-10
MD5: c86f178b70f1e16b41fd0ab3fc806a1b SHA-1: 2ac8c18838e69a72daee84013924536ff1a37f35 SHA-256: 6dc12cf812713899022564f610504030bb6bc02ee6a8fe94ab782fadd23ff886
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.001 PowerShell

The PDF document contains a Base64-encoded PE payload, identified by the PDF_BASE64_PE_PAYLOAD heuristic. This payload is likely a second-stage executable designed to be decoded and executed, potentially leading to botnet activity as suggested by the document body. The presence of process injection APIs further indicates malicious intent. The extracted executable's SHA256 hash is provided as a primary IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 2

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_00000284.exe embedded-pe PDF raw base64 PE payload at offset 0x284 51712 bytes
SHA-256: 52b0b4ea91c3ba48fbc5d35ec6ecb6262bcb985559cfa7c6c317742fded5d3a7
Detection
ClamAV: No threats found
Obfuscation or payload: likely
actual_type=PE; declared_or_context_type=PDF; filename=base64_pdf_pe_00000284.exe; kind=embedded-pe Static shellcode analysis recovered command string(s): PowerShell