Malicious PDF — malware analysis report

Static analysis result for SHA-256 9dd916be5353e661…

MALICIOUS

PDF

12.1 KB
MD5: 6d6ea15d78544ab0ac6c156bdca30b43 SHA-1: 73b2b986f0f6a106562dfbb9e67f63e3b8b16ebd SHA-256: 9dd916be5353e661fd3b0fa93b576f04dc85cebb5b61b7b3ee3c948548cfaba4
98 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Exploit.Dropped-90, indicating it contains an exploit. The presence of an embedded file and the use of ASCIIHexDecode filters with exploit indicators further support this. While no document body text was available for content analysis, the heuristics strongly suggest this PDF is designed to exploit a vulnerability and drop a secondary malicious payload.

Heuristics 5

  • ClamAV: Pdf.Exploit.Dropped-90 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-90
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
466b00a1825e0d0e94e28a07385a021da04d7474a4d362f8f07c6aea1f3a7ecc		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x5A 1879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.