Malicious PDF — malware analysis report

Static analysis result for SHA-256 98d97c3a8a86a13b…

MALICIOUS

PDF

25.0 KB Created: 2010-05-19 17:31:03 Authoring application: PScript5.dll Version 5.2.2 (via GPL Ghostscript 8.15)
MD5: e384bcdea500dbbc9ffd943bf3a19742 SHA-1: d8dfc1dcf4fd1e943aaf771bf02be372af8122b7 SHA-256: 98d97c3a8a86a13b813de2f99a701f6917ed433bfb1b29b63d493d4eb362ca3c
72 Risk Score

Malware Insights

MITRE ATT&CK
T1553.005 Mark-of-the-Web Bypass T1105 Ingress Tool Transfer

The PDF file contains an embedded Windows executable payload, identified by the 'PDF_EMBEDDED_PE_PAYLOAD' heuristic. The embedded artifact 'rAiN-ViV.a.exe' is suspicious. The presence of external URIs, although benign in reputation, suggests a potential delivery or command-and-control vector. The overall structure indicates a likely attempt to disguise and deliver a malicious executable.

Machine Learning

  • Nyx PDF Classifier clean score 0.0603

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.pdfill.com)/S/URI
    • http://www.pdfill.com

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
rAiN-ViV.a.exe
117b93e448659570c14b057e1c827144189bc38c4ed6dd25aa6b60b57c562538		 pdf-embedded-file PDF EmbeddedFile object 5 at offset 0xDE 22016 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.
font_00_sfnt_off0000564f.bin
0204e736094073b5517e3834a972e99891f6785049f1a183850c81db190dfd08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x564F 5008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.