MALICIOUS
100
Risk Score
Malware Insights
MITRE ATT&CK
T1553.004 Subvert Trust Controls: Mark-of-the-Web Bypass
T1140 Deobfuscate/Decode Files or Information
T1027 Obfuscated Files or Information
The PDF file contains a hidden ZIP archive at offset 0x16563, which itself contains an executable file named 'java_Update.exe'. This indicates a multi-stage attack where the PDF acts as a container for the malicious payload. The presence of a hidden ZIP payload within a PDF is a common technique for delivering malware while attempting to bypass security controls.
Machine Learning
- Nyx PDF Classifier suspicious score 0.4547
Heuristics 3
-
Hidden ZIP payload with executable entries inside PDF stream critical PDF_HIDDEN_ZIP_EXECUTABLE_PAYLOADPDF stream bytes contain an embedded ZIP archive whose local headers name executable payload files. This is not a normal PDF attachment (/EmbeddedFile); it hides Windows payloads inside an ordinary stream, a strong malware-loader or smuggling pattern.
-
PDF with appended ZIP archive high POLYGLOT_PDF_ZIP_APPENDEDA ZIP local-file header was found AFTER the last %%EOF in this PDF — a polyglot pattern where the same bytes are a valid PDF for a PDF reader and a valid ZIP for an archive parser.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
hidden_pdf_zip_off00016563.zip65d91d57777153de780e4013d31f671bc106dfdfbd68b1d9bfd43603fee6b8e6 |
pdf-hidden-zip | PDF decompressed stream ZIP payload at offset 0x16563 | 652530 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.