File verdict·Decided by the MT AI Engine
Our call

Suspicious

Unsigned PDF triggers sandbox heuristics for process injection and credential access despite zero engine detections.

Trust score45Caution
MT AI confidence · 55%
El misterio del ojo de halcon.pdf
16.0 MB
0b341bc8825edec8a5a8d5a215d0
Antivirus engines
0 of 74 flagged
Code signing
Unsigned
Age
First seen 2 days ago
MT AI Engine · our arbiter

The verdict, reasoned out.

Not a rules engine. The MT AI Engine reads every signal we collected, weighs them against history, and commits to an answer.

55%Confidence
Moderate
Reasoning

Zero malicious detections from 63 engines including all tier-1 products rules out known malware families. However, the sandbox recorded three offensive MITRE techniques and direct-IP communication without DNS, which the heuristics interpret as malicious indicators. The PDF is unsigned, newly submitted and has no prior reputation or similar-hash matches. These contradictory signals — clean engine results versus suspicious runtime behaviour — produce a borderline mixed-signals assessment.

Key signals · 5

Each signal cites a concrete token from the evidence the arbiter saw — engine name, MITRE technique, signer string, or an exact count.

  1. engines.malicious=0 and engines.tier1Malicious=0 across 63 reporting engines

  2. behaviour.offensiveTechniques includes T1055, T1003, T1485 with three triggeredHeuristics rules firing

  3. contactedIps=["8.8.8.8"] with zero contactedDomains (MalwareTips.Synth.DirectIpC2)

  4. prevalence.classification=rare_new and file.ageDays=2

  5. signing.verified=null (unsigned) with no signerStats history

Points in its favour
  • Zero detections from 17 tier-1 and 40 tier-2 engines
  • No malicious dropped children or contacted hosts in cache
Points against
  • Sandbox observed T1055 process injection and T1003 LSASS access
  • Direct-IP contact with no DNS usage
  • Unsigned file, rare_new prevalence, only 2 days old
What to do

Treat as suspicious; isolate and re-analyse with additional behavioural tools before any user interaction.

Runtime behaviour

What this file did when executed

This file was detonated in 1 sandbox and its runtime behaviour was observed.

MITRE ATT&CK
10

Adversary techniques mapped to the MITRE ATT&CK framework.

T1003T1012T1033T1055T1071T1082T1485T1564T1564.003T1573
Spawned processes
14
$(unnamed)
"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\<USER>\Desktop\El misterio del ojo de halcon.pdf"
$(unnamed)
"C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe Crash Processor.exe"
$(unnamed)
C:\Windows\Explorer.EXE
$(unnamed)
"C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe" "C:\Program Files\Adobe\Acrobat DC\Acrobat" updatepvbpreference d5ee4765-3769-4801-bf5a-fdf97bed1307 0 0
$(unnamed)
C:\Windows\system32\services.exe
$(unnamed)
"C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe" "C:\Program Files\Adobe\Acrobat DC\Acrobat" "C:\Users\<USER>\AppData\LocalLow\Adobe\CRLogs\crashlogs"
$(unnamed)
"C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe" "C:\Program Files\Adobe\Acrobat DC\Acrobat" "C:\Users\<USER>\AppData\LocalLow\Adobe\CRLogs\dumps"
$(unnamed)
C:\Windows\System32\svchost.exe -k NetworkService -p
+6 more processes captured.
Network activity
1
IP addresses1
  • 8.8.8.8
Filesystem & mutexes
36
Files written15
  • C:\Users\<USER>\AppData\Local\Temp\acroNGLLog.txt
  • C:\Users\<USER>\AppData\Local\Temp\Tmp1846.tmp
  • C:\Users\<USER>\AppData\Local\Temp\Tmp1A1B.tmp
  • C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
  • C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\SOPHIA.json
+10 more
Files deleted15
  • C:\Users\<USER>\AppData\Roaming\Adobe\Acrobat\DC\JSCache\GlobSettings
  • C:\Users\<USER>\AppData\Local\Packages\Microsoft.XboxGamingOverlay_8wekyb3d8bbwe\LocalCache\KnownGameList.bin
  • C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\DC_READER_LAUNCH_CARD
  • C:\Users\<USER>\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Reader\Files\ACROBAT_READER_MASTER_SURFACEID
  • C:\Users\<USER>\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal
+10 more
Mutexes created6
  • Local\SessionImmersiveColorMutex
  • Global\_MSIExecute
  • Global\AdobeCrashProcessorLocalLowLock
  • \Sessions\1\BaseNamedObjects\{100184D2-BDC3-477a-B8D3-65548B67914C}_7136
  • \Sessions\1\BaseNamedObjects\Local\{100184D2-BDC3-477a-B8D3-65548B67914C}_4088
+1 more
Dropped payload

Files this sample writes at runtime

This file drops 10 children at runtime. None are currently flagged malicious in our cache.

10 unseen
  • eacad3e01b8b0a44ac03df796dNever scanned
    never seen before
  • 513fb5d3b4195ab59af264de2eNever scanned
    never seen before
  • a779a261df447a4c298cb1b86dNever scanned
    never seen before
  • ad27039abac3252c3b3937ede5Never scanned
    never seen before
  • 81ff65efc4487853bdb47c8e06Never scanned
    never seen before
  • 27b668f621f07d01d37ad3fb36Never scanned
    never seen before
  • fa831be25dad4cc703376fb7a4Never scanned
    never seen before
  • 612f15a0e0d29de1198e0976e4Never scanned
    never seen before
  • de56ebb390cf2ce655386e8826Never scanned
    never seen before
  • 4566c75914c69cc6c46528745eNever scanned
    never seen before
No researcher-database hits
External threat-intel sources were not collected for this scan.
Signature matches

YARA + heuristic rules that fired

A researcher-curated or high-severity heuristic rule matched this sample. These rules target specific malware families and are near-definitive.

3 synthesis
MITRE ATT&CK profile
Defense evasion× 1Cred access× 1C2× 1
MalwareTips synthesis rules
Our heuristics on VT data + sandbox behaviour
  • ProcessInjectionhigh

    MITRE T1055 (Process Injection) observed — CreateRemoteThread / APC / reflective-DLL injection. The payload is being smuggled into a legitimate process to bypass AV hooks.

    Evidence
    C:\Windows\Explorer.EXE
  • CredentialDumpermedium

    Sandbox observed process activity targeting LSASS (Windows credential store). Legitimate software has no business reading LSASS memory — this is Mimikatz-shape behaviour.

    Evidence
    C:\Windows\system32\lsass.exe
  • DirectIpC2medium

    Sample contacted 1 external IP address(es) and zero domains. Benign software virtually always uses DNS; no-DNS direct-IP C2 is a strong malware indicator because it bypasses reputation systems and dodges domain-based blocklists.

    Evidence
    8.8.8.8
Antivirus engine breakdown

0 detections across 74 engines

0 malicious0 suspicious74 clean
Tier-117 engines
0flag
Top commercial AVs (low FP rate)
Tier-240 engines
0flag
Mainstream engines with mixed FP rates
Low-trust17 engines
0flag
Heuristic / generic-AI engines (high FP rate)
All 74 engines report this file as clean.
Hash 0b341bc8825e… cross-referenced against 74 AV engines via our AV network.
Prevalence

How often this file shows up in the wild

Barely seen in the wild and first surfaced recently. This is the footprint of targeted malware the AV industry hasn't signatured yet — extra scrutiny is warranted.

Rare & new
Unique uploaders
1
Very few people have ever uploaded this — rare.
Total submissions
1
Includes repeat uploads by the same source.
First seen by VT
2d ago
Jul 6, 2026
Prevalence quadrant
here
Rare · New
Targeted malware lives here
Common · New
Just-released software
Rare · Old
Niche or internal tooling
Common · Old
Trusted legitimate binaries
File identity

Forensic fingerprint

File biography
First seen (VT)
7/6/2026, 7:16:27 AM
First seen (MalwareBazaar)
Last analysis (VT)
7/6/2026, 7:16:27 AM
Scanned here
7/8/2026, 1:25:23 AM
File name
El misterio del ojo de halcon.pdf
Size
16.04 MB
MIME type
(unknown)
Detected type
PDF
SHA-256
0b341bc8825edec8a5b112405c9911de1dfa26f82d767993e67c41a8d5a215d0
MD5
235d74e6bb719b8e864bc661d382304a
SHA-1
e7adc17580a3dc6073971a3bcbb66f42e313a337
First seen (VT)
7/6/2026, 7:16:27 AM
Last analysis (VT)
7/6/2026, 7:16:27 AM
First scan (MalwareTips)
7/6/2026, 7:19:17 AM
Last scan (MalwareTips)
7/8/2026, 1:25:23 AM
Behavior tags
pdfidle
Community classification

Reviews & malware reports(0)

Tell the community what you saw. Tag the sample — Trojan, Adware, False Positive — and share what the file did on your system. Your report helps confirm or dispute the AV verdict.

Loading…
Loading reports…
Files are processed in a streaming pass-through — MalwareTips never stores the binary on its servers. Only the scan result (hash, detections, verdict) is retained so the next person who scans the same file gets an instant answer. If you ran this file on your computer and are worried, scan your system with an up-to-date antivirus and change critical passwords from a different device.