Malicious PDF — malware analysis report

Static analysis result for SHA-256 04c54104e4a34bbb…

MALICIOUS

PDF

2.2 KB
MD5: 959440603e2bc9015f5d1f1c63ea8a2a SHA-1: 354910f629d7322a082ad2436dc447f0edc04f21 SHA-256: 04c54104e4a34bbb934b87dbc26c3972e7c6ff5fdbd01541688093b10b202a2e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier and contains JavaScript, which is heavily obfuscated. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JS heuristics indicates that the JavaScript is used to hide the actual malicious content. The obfuscated JavaScript likely serves to download and execute a second-stage payload, a common technique for initial access via spearphishing attachments.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0009_000.js
1f4717d710aa1584f6a278c90e2e07ec30896c0d62c081b65ffd899c1b0179dd		 pdf-javascript-stream PDF /JS object 9 at offset 0x518 192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.