Malicious PDF — malware analysis report

Static analysis result for SHA-256 fca3ff4008d5f6da…

MALICIOUS

PDF

8.9 KB
MD5: d8c28db086d331e3040601795f9e66ab SHA-1: 7d47e34063b1a9b707df3605280d2f42f51d49a3 SHA-256: fca3ff4008d5f6da8de42a6b106ecca3f5920cafb2eb8586e934c7bc927d11b1
106 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream utilizes an eval() call, indicating an attempt to execute obfuscated code. The presence of AcroForm buttons with action triggers further suggests a user-interaction-based lure to execute the malicious script.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0057_000.js
d1569c10a2a215b275f1b6e2a67e07a265d1d53868b1eb3e40c862abbdeb9985		 pdf-javascript-stream PDF /JS object 57 at offset 0x191 1591 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
acroform_b64_00.js
19c8842ae7027bd9591f11395242d18dc7ce7d334d5791a26d9215efffc94c49		 deobfuscated-js PDF AcroForm base64 (raw) at offset 0xE68 3714 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.