Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d219083af4d0a54…

MALICIOUS

PDF

1.3 KB
MD5: a1fd1c4c5c7a971573af3d2510de03df SHA-1: 1c407c950078675af01e4a6f633bdb7c955b039a SHA-256: 0d219083af4d0a54e9c0b59570df63b322463dc245adc3551099005c677e1b91
176 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file identified as malicious by a machine learning classifier and several high-severity heuristics, including PDF JavaScript exploit cluster and eval() calls. These indicate the presence of JavaScript code designed to exploit vulnerabilities within the PDF reader. The embedded JavaScript likely attempts to download and execute a second-stage payload, as suggested by the exploit cluster firing. No document body text was available for analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Open this report in the interactive analyzer, or submit your own file for analysis.