PDF malware analysis — malicious · 0767a49c2d8c93ad

MALICIOUS

PDF

1.4 KB

MD5: f76946cda4ccea6f689d8fda2a0bda43 SHA-1: cdec123e25a3c04bc425535a69ff0f5d032c04de SHA-256: 0767a49c2d8c93ad5f1384a020c226c18fa4a0f6f5faf3269c682d8e0a913927

76 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and uses ASCIIHexDecode filters, indicating an attempt to exploit vulnerabilities for client execution. The ML classifier strongly suggests malicious intent. The presence of embedded files and JavaScript actions points towards a malicious document designed to be delivered as an attachment.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Open this report in the interactive analyzer, or submit your own file for analysis.