PDF malware analysis — malicious · 826f52a9f8ec79d3

MALICIOUS

PDF

19.5 KB Created: 2010-07-06 21:04:53 Authoring application: Virtual PDF Printer - www.go2pdf.com (via Virtual PDF Printer1.01) First seen: 2026-05-11

MD5: f22962f562ae8c0df05eb2f21e9f7948 SHA-1: a195a5ca6eff60179115f4d4ea620baefe59a964 SHA-256: 826f52a9f8ec79d315fa29b1dc39029e2673208bf102fc2bea5fba6d461a7786

102 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded heuristics indicating a critical finding of an embedded Windows executable payload. The ML classifier also flagged the PDF as malicious with a high score. The embedded URL, while not directly malicious in this context, is associated with the PDF creation tool, suggesting a potential vector for the malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9255

Heuristics 4

Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.go2pdf.com PDF link annotation

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_001_off00001149.bin`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1149	31073 bytes
SHA-256: `de5288959893b4514f11d0e9fa4e49727082cfa7df17e81bf3239ccc7fd546c4`

Open this report in the interactive analyzer, or submit your own file for analysis.