Malicious PDF — malware analysis report

Static analysis result for SHA-256 113f20ec15825568…

MALICIOUS

PDF

116.5 KB Authoring application: PyPDF2
MD5: d17bf21ab32af2a26e5597977c8ae71c SHA-1: 19219b1cc7ee47074a251aa49192dabb7febe14b SHA-256: 113f20ec1582556893415ded404e9c4a31244f4e841267f17526b8a43a5081f2
288 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains heavily obfuscated JavaScript that utilizes eval() to execute malicious code. The JavaScript is designed to act as a downloader, as indicated by the 'PDF_JS_ACTIVEX_DOWNLOADER' heuristic and the ClamAV signature 'Txt.Downloader.Nemucod-6769957-0' on an extracted artifact. The primary function of the script is to fetch and execute a secondary payload, which is a common technique for malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9881

Heuristics 8

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • PDF JavaScript ActiveX downloader high PDF_JS_ACTIVEX_DOWNLOADER
    Decoded PDF JavaScript instantiates Windows ActiveX/COM objects to download a payload over HTTP, write it through ADODB.Stream, and execute it through WScript.Shell/rundll32-style process launch. This is commodity downloader behavior rather than a specific Acrobat CVE trigger.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0027_000.js
19a91ddbb458173a9056bbc3234c66e066895d14b37b1837fa22fb0ba4b3448d		 pdf-javascript-stream PDF /JS object 27 at offset 0xECC 13753 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769957-0
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js
c9cfc149d524b4995a5024efa3b6ed19f56097adfcb8e5675f2d5327c1c1d166		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0xF94 7261 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
28679f3d2b4a7a05589102b7cf03fab6fd8a8772bfbf44772da11cac5090b06d		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0xF1F 118882 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_002.js
1b6bbcc88db261858374a6ce2b7a5648b6d8132be059acc1febf82fcd4aec810		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0xFC3 112350 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.