Malicious PDF — malware analysis report

Static analysis result for SHA-256 0837a815a55e5e9e…

MALICIOUS

PDF

27.8 KB Created: oS 6Ÿ-/Äíôm3Š>Ú¿â{ø Authoring application: Ֆ¿Ó6t¯~’ܱ_j»I (via Ֆ¿À6t¯t—Ü°_f»^5|)
MD5: dcce680d4e52e409855a104088c55e36 SHA-1: d8cca6286538decd06c40ceeb0313a540d1ac385 SHA-256: 0837a815a55e5e9efe28849c2e21979c6360478e5c0145d72acc75704980af68
94 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
3531bf17e90c416a2305ef2764e33c95d1597241186b4cd1913097a584c7b9b6		 pdf-javascript-stream PDF /JS object 8 at offset 0x4E6 2047 bytes
javascript_obj0009_000.js
860f201faf02cf8402e1321102d6acf29d110b3f32d537ac23b8deefd258a449		 pdf-javascript-stream PDF /JS object 9 at offset 0x3BF 25896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.