Malicious Photoshop (PSD) / .PNG — malware analysis report

Static analysis result for SHA-256 9e4782fa9d44f86b…

MALICIOUS

Photoshop (PSD) / .PNG

2.51 MB First seen: 2026-03-24
MD5: 59c735b5c7f13ebb137ae822f479dcdc SHA-1: f6363c7e6ac6616c7d0933f0fc74aefed2eac5c2 SHA-256: 9e4782fa9d44f86bb23b56935a9d580de85e5f47389a5eb74a04806dcd8e4111
62 Risk Score

Malware Insights

MITRE ATT&CK
T1027 Obfuscated Files or Information

The critical heuristic IMAGE_TRAILING_OVERLAY_EXECUTABLE indicates a loader-delimited encoded payload appended after the image data. This suggests the file is designed to deliver a second-stage malicious payload. No scripts were extracted, and the embedded URLs are confirmed benign, limiting further analysis of the payload's nature. The primary attack pattern is obfuscation and delivery of an unknown secondary component.

Heuristics 2

  • Loader-delimited encoded payload appended after image end critical IMAGE_TRAILING_OVERLAY_EXECUTABLE
    A valid image is followed by a large appended overlay that begins with a known stego-loader delimiter (INICIO) and is dominated by the base64 alphabet. This is the AutoIt/.NET image-stego-loader carrier shape: a lure image with an encoded PE appended after its logical end for a loader to decode and execute.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/photoshop/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://www.iec.ch

Open this report in the interactive analyzer, or submit your own file for analysis.