PDF malware analysis — malicious · 05004a192dc3f367

MALICIOUS

PDF

34.8 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)

MD5: d4c190e5122861cb8b651c349a416882 SHA-1: d96148a779108bfd97d9cbed20958d8f8898821e SHA-256: 05004a192dc3f367d50ea0dfc5bec3e7b5ef82a40f65c11910512cfc2e067312

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF contains embedded JavaScript, flagged by multiple heuristics including a PDF JavaScript exploit cluster. The JavaScript utilizes eval() and String.fromCharCode with URI component decoding, indicating it's designed to deobfuscate and execute malicious code. The primary function appears to be downloading and executing a second-stage payload, though the exact URL is obfuscated within the script.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.