Malicious PDF — malware analysis report

Static analysis result for SHA-256 8913cbac85058733…

MALICIOUS

PDF

252.0 KB
MD5: ab4a156110ade57f156747bc1ff686a3 SHA-1: 267d7125b867ab7843f589947b7e4cd9969197dc SHA-256: 8913cbac8505873357fa762b820c92b39f9b38d4cf7b83f9dbab4cb588989cbe
82 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File

The PDF file was flagged by a machine learning classifier as malicious with a high probability. Heuristics indicate the presence of U3D content, which is often associated with exploits targeting Adobe Reader's 3D parsing functionality (CVE-family). The file is also identified as an 'image only lure', suggesting it relies on visual deception rather than readable text. An embedded file was also detected, likely serving as the malicious payload. The encrypted nature of the PDF further hinders static analysis, increasing suspicion.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9613

Heuristics 4

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED
    PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Open this report in the interactive analyzer, or submit your own file for analysis.