PDF malware analysis — malicious · 01caafd636a3309d

MALICIOUS

PDF

45.1 KB

MD5: e78e8d8c2f5adc99d5a83ad6c4db4fb0 SHA-1: 9b4119962fd3827ea133451d5a4102b2823816a3 SHA-256: 01caafd636a3309d8a6de9256a539e973a2d531f83900df75ed9c4c29daf1ae7

176 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript and triggers heuristics related to PDF JavaScript exploits, including XFA forms. The JavaScript code is heavily obfuscated but appears to be designed to download and execute a secondary payload, indicating a malicious intent. The benign URLs extracted are likely decoys or standard references within PDF structures.

Machine Learning

Nyx PDF Classifier malicious score 0.9952

Heuristics 6

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `45681f5407771ff564d1891848d6eca382305930431c87cedb22c8a4663cfd84`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA1ED	3567 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.