Malicious PDF — malware analysis report

Static analysis result for SHA-256 01f28a3e2305c6c2…

MALICIOUS

PDF

33.7 KB Created: µ¨Å®˜Ža?áãÀ¨¼üӟõàh Authoring application: ʚ¶ŸÚ¾3L2[Ô¹õî (via ʚ¥ŸÚ¾9I2ZÔµõù—¾)
MD5: 82c2641ed0ccd1f8fc7b06fd6f574645 SHA-1: 9559541722f90fd870bfcb8e59ff430cb98cba50 SHA-256: 01f28a3e2305c6c2b2e7a4f8592213a3e892e4bd3893a86b90eca39592c88a71
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF contains embedded JavaScript, which is heavily obfuscated and likely used to conceal malicious activity. The ML classifier and heuristics indicate a high likelihood of malicious intent, with the JavaScript potentially downloading and executing a second-stage payload. The obfuscated nature of the script prevents a more detailed analysis of its specific actions.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
a6392d481e7f678841cdfae0dc4ef95fd3815812cc014c2dae23c865450df83e		 pdf-javascript-stream PDF /JS object 8 at offset 0x4EE 2047 bytes
javascript_obj0009_000.js
e165cd5570fb20e05c6d072dd3683fa464cc9fbde6884c7ab35af9cd7847e486		 pdf-javascript-stream PDF /JS object 9 at offset 0x3C4 31888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.