Malicious PDF — malware analysis report

Static analysis result for SHA-256 1143ebe32579708f…

MALICIOUS

PDF

69.5 KB
MD5: 1081f871aa3cf8156eac65d235db7b4a SHA-1: 401e74679f372189583768d732bbbda069c802d5 SHA-256: 1143ebe32579708fd3c668363eca2d7f1b06787499f72091a9709d1b69711fb1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter T1059.001 PowerShell T1055 Process Injection T1055.012 Process Hollowing

The PDF document contains a Base64-encoded Windows executable payload. The heuristic indicates the payload is decoded and likely executed using process injection APIs such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The embedded executable's SHA256 hash is cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9952

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.