PDF malware analysis — malicious · 013db6d7559fd266

MALICIOUS

PDF

26.3 KB

MD5: 57e3eca166a19f74be92f42ea74ea0bc SHA-1: c56dd167188da4f35baa9887e66d13a97b4f75b8 SHA-256: 013db6d7559fd266b0166c67bf7e1af341c51b68f1c6f48045586c3f2ad82fb4

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF document contains embedded JavaScript that triggers an exploit, as indicated by the PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL heuristics. The ML classifier also strongly flags this PDF as malicious. The JavaScript's eval() call is highly suspicious and likely used to download and execute a secondary payload, though the specific URL or payload could not be reconstructed from the provided truncated script.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0032_000.js` `b86d581ee85d58432804d080f2de6a69b3af58aff6b035e16dce108276b84c63`	pdf-javascript-stream	PDF /JS object 32 at offset 0x2CA	2795958 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.