MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1566.001 Spearphishing Attachment
T1203 Exploitation for Client Execution
T1059.001 PowerShell
The PDF document contains a Base64-encoded PE payload, identified by the PDF_BASE64_PE_PAYLOAD heuristic. This payload is likely a second-stage executable designed to be decoded and executed, potentially leading to botnet activity as suggested by the document body. The presence of process injection APIs further indicates malicious intent. The extracted executable's SHA256 hash is provided as a primary IOC.
Machine Learning
- Nyx PDF Classifier malicious score 0.9959
Heuristics 2
-
Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOADPDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.
-
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
base64_pdf_pe_00000284.exe |
embedded-pe | PDF raw base64 PE payload at offset 0x284 | 52736 bytes |
SHA-256: 3e191f3980c6c9c0f7a643d462cde9f9c333d3662f819e3eff7b35308282c947 |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
actual_type=PE; declared_or_context_type=PDF; filename=base64_pdf_pe_00000284.exe; kind=embedded-pe Static shellcode analysis found candidate code region(s). Indicators: SC_PUSH_STRING, SC_STR_VIRTUALALLOC, SC_STR_POWERSHELL Static shellcode analysis recovered API/import strings: VirtualAlloc, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, OpenProcess Static shellcode analysis recovered command string(s): PowerShell
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.