Ramnit — PDF malware analysis

Static analysis result for SHA-256 ede52cd70b493fce…

MALICIOUS

PDF

111.7 KB
MD5: 0b48653c89cdcdafe8d4b0aeef8dc57d SHA-1: c36b9a4ad17697896c13af0921b431db161f29b4 SHA-256: ede52cd70b493fce29b25616d3ba3789505af83d12e6642cf392c5e7ca83056d
212 Risk Score

Malware Insights

Ramnit · confidence 95%

MITRE ATT&CK
T1059.003 Windows Command Shell T1204.002 Malicious File T1105 Ingress Tool Transfer

The PDF document contains an embedded VBScript payload that is designed to reconstruct and execute a PE file. The script utilizes 'Scripting.FileSystemObject' and 'WScript.Shell' to write and run the embedded PE payload, identified as svchost.exe. ClamAV detection and ML classification strongly indicate malicious intent, with the extracted artifact matching the Ramnit family. The embedded VBScript is responsible for dropping and executing the second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9695

Heuristics 5

  • VBScript in PDF stream reconstructs and runs a PE payload critical PDF_VBS_HEX_PE_DROPPER
    PDF stream contains an HTML/VBScript block that decodes a long hex string into a Windows executable and runs it via WScript.Shell. This is an embedded dropper payload, not ordinary PDF JavaScript.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_vbs_dropper_000004da.vbs
50b36b292c4a29f5f0d9642bb1487d597e7f817cb538628ff0d791b00e4fac65		 pdf-embedded-script PDF raw bytes VBScript dropper at offset 0x4DA 113122 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 long base64-like blob(s).
svchost.exe
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320		 embedded-pe Decoded PE from PDF VBScript dropper at offset 0x4DA 56320 bytes
Detection
ClamAV: Win.Trojan.Ramnit-9775455-0
Obfuscation or payload: likely
Carved artifact entropy is 7.89, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.