Malicious PDF — malware analysis report

Static analysis result for SHA-256 193bc489b5decfb0…

MALICIOUS

PDF

9.9 KB Created: @ð†¦ôh+¨Öz”* Authoring application: °ßô¸++µÉzˆ) (via °ßô¸+JßvÇÏJiÀ¼7H<~A#ø4)
MD5: d50890387cec98a35ca85c03dc636244 SHA-1: 4ade3a99f495f085772dc2cd388e3ee7e332bfa1 SHA-256: 193bc489b5decfb0a131490daa2158c5753438a1eefd7bb3d835a90fffaaefde
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by a machine learning classifier and exhibits characteristics of obfuscated JavaScript. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT heuristics indicates that the JavaScript is used to conceal the actual malicious content, likely to download and execute a secondary payload. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0027_001.js
dd1295e271ea081afe92ebd3e814efb0fd1109bdd0c11ef11c7b36493e5d4f0c		 pdf-javascript-stream PDF /JS object 27 at offset 0xA37 6594 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
javascript_obj0025_001.js
c9f9d158eb55a4afa9f839566f7cef2d0cc827baa8aebbc970753e5166696fda		 pdf-javascript-stream PDF /JS object 25 at offset 0x8D3 6594 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.