PDF malware analysis — malicious · 885a2b5daf6ee0c9

MALICIOUS

PDF

150.9 KB

MD5: 8fa80adc6fa5838eaba695074a5ede5f SHA-1: da150c659ff9477df35ae731d39f4f2f83de6e5e SHA-256: 885a2b5daf6ee0c9138a2b556500859cb1cd34a8e97526975f4b46c2dcb8abe2

152 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution

The PDF contains a critical heuristic firing indicating a VBScript-style decimal byte array that decodes to a PE payload. This payload was extracted and identified as a PE executable. The presence of this encoded payload strongly suggests the document's purpose is to drop and execute a secondary malicious file.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 3

VBScript-style decimal byte array decodes to a PE payload critical PDF_VBS_DECIMAL_ARRAY_PE_PAYLOAD

PDF comment text contains a VB/VBScript-style decimal byte array, such as c(077),c(090), that decodes to a verified Windows PE executable. The rule is gated on a comment-line Array(c(...)) assignment and a valid MZ/PE header to keep false positives low.
ClamAV: Pdf.Dropper.Agent-7279706-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7279706-0
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`decimal_array_pdf_pe_00000229.exe` `1b3f6ada093de8558438f137a4e1f799f04e8a5cfa8d6fa1e9c8e2ea2a1fffb7`	embedded-pe	PDF raw comment decimal-array PE payload at offset 0x229	21895 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.84, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.