Malicious PDF — malware analysis report

Static analysis result for SHA-256 17ba721b8ee72035…

MALICIOUS

PDF

25.5 KB Authoring application: PyPDF2
MD5: f1f75f3ff499357ce9f9136c34f91281 SHA-1: df6dfcfc842a3c47c2ba3f0534a92e431df81f37 SHA-256: 17ba721b8ee720352f2ddaeeb478ebf230b1ee26c1610d83d7bd713cf019d4bc
416 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that is heavily obfuscated and utilizes eval() calls, indicating an attempt to hide malicious functionality. The presence of PDF JavaScript exploit cluster heuristics and ClamAV detections (Js.Downloader.Email_phishing-1) strongly suggests the script is designed to download and execute a secondary payload. The document is also an image-only lure, further supporting a phishing or social engineering attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 12

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Js.Downloader.Email_phishing-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Downloader.Email_phishing-1
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Image-heavy PDF hides clickable URL with PDF string escapes high PDF_ESCAPED_URI_IMAGE_LURE
    PDF is image-heavy with little real text and its clickable HTTP(S) URI is encoded with PDF octal escapes. This combination is common in credential-phishing PDFs that render a screenshot-like prompt and obscure the destination from simple URL extractors.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 25 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.worldblindunion.org/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
3a2274ca680d118cd61521598e78ab8da8bb0a2fc601fde6e90395542d3f8965		 pdf-javascript-stream PDF /JS object 11 at offset 0x907 7047 bytes
Detection
ClamAV: Js.Downloader.Email_phishing-1
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s). Carved artifact contains 18 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
javascript_obj0011_001.js
9707af73abf22082c89089e4b577b91e144fb68380ba8a32beb71e7ca6e5bfa2		 pdf-javascript-stream PDF /JS object 11 at offset 0x907 39 bytes
embedded_pdf_script_00001bf9.bin
d308e8d8f7568e40ce9d00630c3035a7628bb8ec45f9652673ee86d550d43288		 pdf-embedded-script PDF decompressed stream script payload at offset 0x1BF9 26101 bytes
Detection
ClamAV: Js.Downloader.Email_phishing-1
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s). Carved artifact contains 18 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js
029f48dbe38830a5f26de0c73f3cc5d382045edda3a11981f7147194a8d7401e		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x973 25985 bytes
Detection
ClamAV: Js.Downloader.Email_phishing-1
Obfuscation or payload: likely
Carved artifact contains 7 shell/COM execution token(s). Carved artifact contains 18 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.