Malicious PDF — malware analysis report

Static analysis result for SHA-256 f06e725bb6b9a91d…

MALICIOUS

PDF

12.0 KB
MD5: 8e230c34a9b49ad71d3cef2412c71dc3 SHA-1: a14701e4dd61386da02fa05be5053ae6e50754b4 SHA-256: f06e725bb6b9a91dfa5251688808ef89b0b527f234e89ca1c920d86c09e6091e
98 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF file was flagged by ClamAV as Pdf.Exploit.Dropped-90, indicating it contains an exploit. The presence of PDF_FILTER_HEX with exploit indicators and an embedded file further supports this. The embedded artifact is likely the dropped payload. No document body text was available for analysis, and no scripts were extracted.

Heuristics 5

  • ClamAV: Pdf.Exploit.Dropped-90 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-90
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
7fe4403fe1bd9202e733a48cdb18c84dde0a8ea54685f0f842d7f34c6d912f4f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x5A 1874 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.