Suspicious
Unsigned PDF triggers sandbox heuristics for process injection and credential access despite zero engine detections.
0b341bc8825edec8a5…a8d5a215d0The verdict, reasoned out.
Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.
Zero malicious detections from 63 engines including all tier-1 products rules out known malware families. However, the sandbox recorded three offensive MITRE techniques and direct-IP communication without DNS, which the heuristics interpret as malicious indicators. The PDF is unsigned, newly submitted and has no prior reputation or similar-hash matches. These contradictory signals — clean engine results versus suspicious runtime behaviour — produce a borderline mixed-signals assessment.
Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.
engines.malicious=0 and engines.tier1Malicious=0 across 63 reporting engines
behaviour.offensiveTechniques includes T1055, T1003, T1485 with three triggeredHeuristics rules firing
contactedIps=["8.8.8.8"] with zero contactedDomains (MalwareTips.Synth.DirectIpC2)
prevalence.classification=rare_new and file.ageDays=2
signing.verified=null (unsigned) with no signerStats history
- Zero detections from 17 tier-1 and 40 tier-2 engines
- No malicious dropped children or contacted hosts in cache
- Sandbox observed T1055 process injection and T1003 LSASS access
- Direct-IP contact with no DNS usage
- Unsigned file, rare_new prevalence, only 2 days old
Treat as suspicious; isolate and re-analyse with additional behavioural tools before any user interaction.
What this file did when executed
This file was detonated in 1 sandbox and its runtime behaviour was observed.
Adversary techniques mapped to the MITRE ATT&CK framework.
- 8.8.8.8
- C:\Users\<USER>\AppData\Local\Temp\acroNGLLog.txt
- C:\Users\<USER>\AppData\Local\Temp\Tmp1846.tmp
- C:\Users\<USER>\AppData\Local\Temp\Tmp1A1B.tmp
- C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
- C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json
- C:\Users\<USER>\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
- C:\Users\<USER>\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache\KnownGameList.bin
- C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\DC_READER_LAUNCH_CARD
- C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\ACROBAT_READER_MASTER_SURFACEID
- C:\Users\<USER>\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
- Local\SessionImmersiveColorMutex
- Global\_MSIExecute
- Global\AdobeCrashProcessorLocalLowLock
- \Sessions\1\BaseNamedObjects\{100184D2-BDC3-477a-B8D3-65548B67914C}_7136
- \Sessions\1\BaseNamedObjects\Local\{100184D2-BDC3-477a-B8D3-65548B67914C}_4088
Files this sample writes at runtime
This file drops 10 children at runtime. None are currently flagged malicious in our cache.
- eacad3e01b8b0a44ac03…df796dNever scannednever seen before
- 513fb5d3b4195ab59af2…64de2eNever scannednever seen before
- a779a261df447a4c298c…b1b86dNever scannednever seen before
- ad27039abac3252c3b39…37ede5Never scannednever seen before
- 81ff65efc4487853bdb4…7c8e06Never scannednever seen before
- 27b668f621f07d01d37a…d3fb36Never scannednever seen before
- fa831be25dad4cc70337…6fb7a4Never scannednever seen before
- 612f15a0e0d29de1198e…0976e4Never scannednever seen before
- de56ebb390cf2ce65538…6e8826Never scannednever seen before
- 4566c75914c69cc6c465…28745eNever scannednever seen before
YARA + heuristic rules that fired
A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.
MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.
EvidenceC:\Windows\Explorer.EXESandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.
EvidenceC:\Windows\system32\lsass.exeSample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.
Evidence8.8.8.8
0 detections across 74 engines
How often this file shows up in the wild
Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.
Forensic fingerprint
- File name
- El misterio del ojo de halcon.pdf
- Size
- 16.04 MB
- MIME type
- (unknown)
- Detected type
- SHA-256
- 0b341bc8825edec8a5b112405c9911de1dfa26f82d767993e67c41a8d5a215d0
- MD5
- 235d74e6bb719b8e864bc661d382304a
- SHA-1
- e7adc17580a3dc6073971a3bcbb66f42e313a337
- First seen (VT)
- 7/6/2026, 7:16:27 AM
- Last analysis (VT)
- 7/6/2026, 7:16:27 AM
- First scan (MalwareTips)
- 7/6/2026, 7:19:17 AM
- Last scan (MalwareTips)
- 7/8/2026, 1:25:23 AM
Reviews & malware reports(0)
Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.