Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ba5d9cad7f7d41e…

MALICIOUS

PDF

69.5 KB
MD5: db43972be531897cb571c1569d7187e2 SHA-1: cb7a9ad7ce49302d2318a1348718107da9cc8caa SHA-256: 6ba5d9cad7f7d41e471c4ad15fb61076b14c6639e5b2c3ff272380345e29b2bf
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1055.012 Process Hollowing

The PDF file contains a critical heuristic firing indicating a Base64-encoded Windows executable payload. This payload is likely intended to be decoded and executed, potentially using process injection techniques as suggested by the presence of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs. The embedded executable's SHA256 hash is provided as a high-priority IOC.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.