Malicious PDF — malware analysis report

Static analysis result for SHA-256 07e7cedccaf8407a…

MALICIOUS

PDF

6.1 KB
MD5: a2e469ef2b2b0f354a7cc4b6aef08ab1 SHA-1: 757dc17a7ca2c9c5fd9020e64391e38881293102 SHA-256: 07e7cedccaf8407a80e29da319a98cda5746bfe67c7f8a0e80eb225d7e6056eb
188 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that utilizes eval() and unescape() functions, indicating an attempt to execute malicious code. This cluster of heuristics strongly suggests an exploit targeting PDF viewers. The primary function of the JavaScript appears to be downloading and executing a secondary payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9761

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0023_00.bin
dd0d28a9d34fe092b425e76dd79c89805b6648bea542e82c60f31dc6b1f332ce		 pdf-objstm-decoded PDF /ObjStm 23 0 obj (inflated) 425 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.