Malicious PDF — malware analysis report

Static analysis result for SHA-256 0072da46742e2e18…

MALICIOUS

PDF

5.2 KB Created: ‡ÁØz;µ¯£ŠY:ûÉ®Ú Authoring application: ˜˜#Vvö¹£œZ-ùÞ­Ù (via ˜˜#Vvö¹Âö/#†™þ™3ãe§¡~ùÐ3«-)
MD5: 75fc3e87a7b5c61eee442eefc64275db SHA-1: c34cbecf81af6dcb77a2955c6f1e3e8f36ff1c71 SHA-256: 0072da46742e2e18c40ac2b48bd0618250b3dcd4e68b8f33438b90b0861ff0f0
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, flagged by multiple heuristics, which is designed to download a secondary payload. The JavaScript explicitly contains the URL 'http://195.88.3' for this download. The ML classifier strongly indicates maliciousness, and the PDF is encrypted with JavaScript, hiding its full contents from static analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://195.88.3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_001.js
3f24fb08727132ba15aa17b0f8939b8ab5c513f1440168da1c22bfe165f394fd		 pdf-javascript-stream PDF /JS object 24 at offset 0x8D1 4380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.