Malicious PDF — malware analysis report

Static analysis result for SHA-256 11b66914c891dd23…

MALICIOUS

PDF

31.5 KB Created: prK7?Ö ºÿnw‡Õ¬Õ»úßlS£ Authoring application: Ê·yD”;æÎ9GÂ'‹œ] (via Ê·yW”;ìÎ<GÃ'‡œJþù)
MD5: 21e6d0599113515343fca4021e027ce2 SHA-1: 4bc2ede0c6c736bd4205140617fbe3c83a94db4d SHA-256: 11b66914c891dd23e7d9593b61da6f4a74323134a4d1324484d0e5c73c9bdcab
94 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
ed97387a070480fb3666d49830e9864656c8293318d66f1259b753df36bb16c8		 pdf-javascript-stream PDF /JS object 8 at offset 0x4EE 2047 bytes
javascript_obj0009_000.js
638a03a793beff11d8990cc1628aa99527b83e58bf0369caeb5fac3e08713549		 pdf-javascript-stream PDF /JS object 9 at offset 0x3CB 29620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.