Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d1048d6a44af25f…

MALICIOUS

PDF

6.4 KB
MD5: ea9a8b7d672551e9a24cf75682e03777 SHA-1: db832e2b58cb2aab5d45500d20ea378a0e632beb SHA-256: 1d1048d6a44af25f610223c57669f9171c283ff96151068d8f8cb9401e2f3580
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The ML classifier also flagged the PDF as malicious with a high score. The JavaScript stream appears to be obfuscated, but the presence of eval() and String.fromCharCode suggests it's designed to execute arbitrary code. No specific IOCs like URLs or hashes were extracted from the document body or scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0024_00.bin
5a3672e974912a50eaa03028556d8a8cb5bf2cfa4b61cc521052bb67b1970e50		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 385 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.