Malicious PDF — malware analysis report

Static analysis result for SHA-256 198dcf96b3f47345…

MALICIOUS

PDF

39.0 KB Created: ±êg£3W’ AelXxWæÛ¨óÿ` Authoring application: /U`’qgÀ8W(j_I (via /Us’qgÊ8W)jSI͙)
MD5: 2195aaa9e4ed698ecb8dc9fe654891b2 SHA-1: 29b90d142d364dfe205f0aa439b9a18ab48d9ca1 SHA-256: 198dcf96b3f473450e5a751a1835b4d07df66cfc52d2fac30d169d1bd99adc39
94 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
39f3a65b069c1734a6c1826ad263d9553c6556edaa43670e92561ef72cc65dd6		 pdf-javascript-stream PDF /JS object 8 at offset 0x4F6 2047 bytes
javascript_obj0009_000.js
69b93879923eea129d93069aaaf86f64560f9d6307421231c62f086944b77b7f		 pdf-javascript-stream PDF /JS object 9 at offset 0x3CA 37212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.