Malicious PDF — malware analysis report

Static analysis result for SHA-256 dce5c22a8f541993…

MALICIOUS

PDF

5.4 KB
MD5: 5c1c0d43385340e20cfd1f11159d7e63 SHA-1: 56eb64bca7a593541a548c132b42d725e0b35150 SHA-256: dce5c22a8f541993ac2f82cc058c94fa5b30e0553d0723c8e90ee7537b64bcb4
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file exhibits multiple indicators of malicious intent, including the use of ASCIIHexDecode filters with exploit indicators and the presence of embedded files. ClamAV specifically flagged it as 'Heuristics.PDF.ObfuscatedNameObject', suggesting obfuscation techniques are in play. The combination of these factors strongly suggests the PDF is designed to exploit vulnerabilities and deliver a secondary payload.

Heuristics 6

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
3a34719f226b0450dcf0991f60689d6a3a30e7972b0341f96deb0717b0d8f921		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0xBF 1456 bytes
embedded_file_obj0010.bin
8af81ed8eb133b8dbc92f16ee731a72b4418c73f308df25baea192d921e616d2		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0xD19 256 bytes
embedded_file_obj0011.bin
5649c83a36a319c1336439378049362bfb55e5f9754fc47c7181129f8a9ea302		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x1023 815 bytes
embedded_file_obj0012.bin
422a5430698c54d7acba092e1350d18143964b54c5496415f1d8f31cbbcf0663		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x12BD 332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.