Malicious PDF — malware analysis report

Static analysis result for SHA-256 c13b6a9fc0602c13…

MALICIOUS

PDF

4.84 MB
MD5: 888d2dc2a087a385ee5dd2e40c13873d SHA-1: 088774912b46984e442e42756de3ad27f8845920 SHA-256: c13b6a9fc0602c134c90a4710f4f67cda8fa1c85afd8574b8151a31b33f3932a
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file contains U3D/3D content, which is a known indicator for exploits targeting Adobe Reader vulnerabilities, specifically related to CVEs. The presence of PRC/3D content further supports this. Although no specific exploit code or second-stage payload was directly extracted, the structure and heuristic firings strongly suggest an exploit attempt. The embedded URLs are benign, and the document body is unreadable binary data, providing no further context.

Heuristics 5

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00002e87.bin
3d219e471b21973159d94ccbc81376de42ad2f6c09bc8d93be25fde656074764		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2E87 4194304 bytes
prc_00_off0003ffd9.bin
0871f3380c74885efe796edd93a4d53ed831c53a761851cf475320a50259dd0b		 pdf-3d-stream PDF PRC 3D stream at offset 0x3FFD9 4696003 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.97, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.