Malicious PDF — malware analysis report

Static analysis result for SHA-256 0cc2c0f49f560d98…

MALICIOUS

PDF

7.8 KB
MD5: fc278d9e32398fe1e65dc0f4a29fd929 SHA-1: f0a81b137ad537b10b0b0f962fedf1269644015e SHA-256: 0cc2c0f49f560d9816fed317b894f67a19a0839fa43c20f977d1ce4c7bb081d1
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that utilizes an eval() call, indicating an attempt to execute arbitrary code. This JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for initial compromise via malicious documents. The presence of PDF-specific exploit heuristics further supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9483

Heuristics 5

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000328.bin
c7a40ada0104b367f9983576da8df7a17cb173ffc356d7d846ae5951537aaa9e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x328 2450 bytes
objstm_0024_00.bin
6b9f377573e4fa5247bf66a9cd1fb204a20b8738d51c74c3c9889c29408a04d8		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.