PDF malware analysis — malicious · d18d900ccf875d19

MALICIOUS

PDF

69.5 KB

MD5: a23a9651bf4e1efc69c1087a5a83c275 SHA-1: 57b454690df4f59f024c8c945c4d81d5f4024e8d SHA-256: d18d900ccf875d1937cd2a56cd00c4a1340e2c690a6784a78341be8e32722697

60 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File T1071.001 Web Protocols T1055.012 Process Hollowing

The PDF file contains a critical heuristic firing indicating a Base64-encoded Windows executable payload. This payload is likely intended to be decoded and executed, potentially using process injection techniques as suggested by the presence of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs. The embedded executable's SHA256 hash is provided as a high-priority IOC.

Heuristics 1

Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD

PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`base64_pdf_pe_000002fe.exe` `cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20`	embedded-pe	PDF raw base64 PE payload at offset 0x2FE	52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.