PDF malware analysis — malicious · fbf12713bd637a6e

MALICIOUS

PDF

164.3 KB Created: ,Ì¢ r7HZgÁ§z8Æg Authoring application: Ð2«ØKcN5s'VzçÄ\f«´ë:>zíªöoiIØg1¶$VÃrõú:µGitÜ2å6) (via o®p·ÉvDâG(#$PN§ôäÆÌT5êÙö!)

MD5: 64d408022977e9eb1e3c16def43005da SHA-1: 0362e1b48519835f92d8c6d6c333a9c128b12b39 SHA-256: fbf12713bd637a6ed531a47071861995f0534142751c162b39a70f7678f240b0

72 Risk Score

Malware Insights

MITRE ATT&CK

T1553.001 Mark-of-the-Web Bypass

The PDF contains an embedded file, indicated by the PDF_EMBEDDED heuristic. The ClamAV detection of 'Win.Worm.VBS-95' strongly suggests malicious intent. The PDF is also encrypted and appears to be image-only, which are common tactics to evade static analysis and trick users. The embedded file is the primary indicator of a potential attack vector.

Heuristics 4

ClamAV: Win.Worm.VBS-95 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Worm.VBS-95
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED

PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Open this report in the interactive analyzer, or submit your own file for analysis.