Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc8ff23b86d53f49…

MALICIOUS

PDF

90.4 KB
MD5: ac8c1f9d5419a657e4ed1a0ae54f852c SHA-1: 3c364c56f860b0e4b04125bbc2d9b80d34f3799f SHA-256: bc8ff23b86d53f491cda7889765fc825d0ca2b3a3ccb55858b44c9fce67d1a0b
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF is heavily obfuscated and contains an encrypted, embedded PDF, as indicated by the 'PDF_ENCRYPTED_WITH_JS' and 'POLYGLOT_CHILD_PDF_STATIC_TRIAGE' heuristics. This suggests the primary purpose is to conceal a malicious payload. The embedded PDF itself also shows suspicious static findings, further reinforcing the malicious intent. No specific IOCs like URLs or hashes were extracted from the available evidence.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.2548

Heuristics 3

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
polyglot_child_pdf_off000036f7.pdf
1411125936bd9e5b15fd9700a6c26c5fc51ce9ca7287d8d8338a4985213bf126		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x36F7 78453 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.