Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3f2bf8efdda7472…

MALICIOUS

PDF

69.5 KB
MD5: 77b678800b1add6bf75126cb239324f4 SHA-1: 93d89fd57c3957d7b92c0c8770dddf40b149a022 SHA-256: a3f2bf8efdda7472b02a445c31e2f8e8325498f98a1ec4b5a0522e1d710dcbe4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1055 Process Injection

The PDF file contains a Base64-encoded PE payload, identified by the PDF_BASE64_PE_PAYLOAD heuristic. The payload is likely intended to be decoded and executed using process injection techniques, as indicated by the presence of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs. The specific family is not identifiable from the provided evidence.

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.