Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a5f9b7396143282…

MALICIOUS

PDF

69.5 KB
MD5: 7c65d0bfb6e8e6c1ed60d4a09655879e SHA-1: 7054fa74222ef54e881a8e7c71fd6528b1a2ac5b SHA-256: 2a5f9b73961432821d4a140c53324b2adbe9b106aa11f59b59e24c80b5bc62e4
60 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1105 Ingress Tool Transfer T1055 Process Injection

The PDF document contains a Base64-encoded Windows executable payload. The heuristic indicates the payload uses process injection APIs like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread, suggesting it's designed to execute malicious code within another process. The embedded executable's SHA256 hash is identified as a key indicator.

Heuristics 1

  • Base64-encoded Windows executable payload in PDF critical PDF_BASE64_PE_PAYLOAD
    PDF text contains a long base64 blob that decodes to a verified Windows PE executable. This catches payloads hidden after EOF, inside comments, or in plain text outside normal PDF streams.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
base64_pdf_pe_000002fe.exe
cac25a0c85ff0522a7105b86ac53326b6c5a8b9031d9ab76d5f39249c561bd20		 embedded-pe PDF raw base64 PE payload at offset 0x2FE 52736 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.