Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e12b783188ba077…

MALICIOUS

PDF

3.2 KB Created: § FsŸøQ š02R Authoring application: °ùZ->ÜáP9›)0Y (via °ùZ->Üá1Sî}nc4a¡ÊXèl¥kbÒ»)
MD5: 0b9ade2da3629727749094488ef9f7ca SHA-1: 3fc19265d41cab1a35cbb42545e7d899f4ffd890 SHA-256: 0e12b783188ba077df0a24f8f2418fc22641811064d64c69a84557d154e9a326
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The PDF file contains obfuscated JavaScript code within an embedded stream. This script is designed to deobfuscate and likely execute a secondary payload, as indicated by the 'PDF_ENCRYPTED_WITH_JS' heuristic. The ML classifier strongly suggests malicious intent. The primary IOC is the embedded JavaScript file itself.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_001.js
129ed1cb35a006d3eca68be474a64d9d32d9fd86c5083423e48797e22827f58d		 pdf-javascript-stream PDF /JS object 14 at offset 0x48D 4687 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.