Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd4cde7328151b4c…

MALICIOUS

PDF

473.6 KB Authoring application: Gnostice PDFtoolkit V2.5
MD5: 13b4b6c263ba5517cb89d19b807d20ce SHA-1: 20f919616ce9930d4960799b445a1b8da74a7b0b SHA-256: cd4cde7328151b4cd40f6ab48e5e27c814be5c540b854d6c468e6dd0d84e375f
78 Risk Score

Malware Insights

MITRE ATT&CK
T1555 Credentials from Password Stores T1059 Command and Scripting Interpreter

The PDF file was identified as malicious due to the presence of an embedded Windows executable payload. The embedded file, named 'embedded_file_obj0016.bin', is the primary indicator of malicious activity. No scripts were extracted, and the document body was unreadable, making it difficult to determine the exact lure or delivery mechanism beyond the embedded payload.

Heuristics 5

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0016.bin
c4721f994a164ad0a7540caeeb7564c6ebdf1aa16fc7b2b542f95818f7071e26		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x3051 471652 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.50, consistent with packed or encrypted content.
font_00_cff_off00001746.bin
309bfb2a99c5a6fc32b1a2596e2026ad61ec905ed3395b9f560dd9b07ade01ab		 pdf-font-stream PDF embedded font (cff) at offset 0x1746 2274 bytes
font_01_cff_off00002346.bin
96b9c39a97d85022dcb0fc00b081687752161d2a70ea0c1058dea417a57cbd6b		 pdf-font-stream PDF embedded font (cff) at offset 0x2346 3371 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.