Malicious PDF — malware analysis report

Static analysis result for SHA-256 159828de08d9a654…

MALICIOUS

PDF

287.1 KB
MD5: a920dd4e1fc0898d2c77b7046ce67517 SHA-1: 1589d0a926ff513d6bab212a2591ae6bc002c579 SHA-256: 159828de08d9a654313236067b43b2e2a8245f7441e29f9b9c7a0b2be7cfcad2
192 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript and a secondary embedded PDF, both of which are flagged as malicious. The JavaScript appears to be shellcode, and ClamAV detected a JavaScript exploit. The ML classifier and static triage also indicate malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 8

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0002_000.js
9bd016c13bde87cf298e4b4a117e64f6fd5c28dfc5e6e7f77f861e9271e3debb		 pdf-javascript-stream PDF /JS object 2 at offset 0x9C 4600 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
polyglot_child_pdf_off00042e65.pdf
6edb611bd58433078b30fda7fd788fbb98d89915a8b855fd2bc98d2703eca455		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x42E65 19980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.