Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d96d317ab82d1fe…

MALICIOUS

PDF

258.1 KB
MD5: 2edbba632b79daa69343bd758adb18d6 SHA-1: 59efd155ff968d9bf2cf59676b56de0418ac382a SHA-256: 1d96d317ab82d1fe7809a703d824352ea756f02479f9570aa61b03cf410c69a6
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by ClamAV and an ML classifier. Heuristics indicate the presence of embedded JavaScript, specifically noting a 'String.fromCharCode' decoding technique and an 'ML_NYX_PDF_MALICIOUS' firing. The embedded JavaScript stream, named 'javascript_obj0003_000.js', is the primary indicator of malicious activity. This script is likely responsible for downloading and executing a second-stage payload, a common technique for PDF-based malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8893

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7140471-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7140471-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js
c0a8d5558d043f07efa3950310d380cea3c17cc068a895055d0b13ec64a98c52		 pdf-javascript-stream PDF /JS object 3 at offset 0xD22 20393 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
stream_000_off00000125.bin
be6c0eb9843ec3be2006bc6fb618898e342f8c59b69c610198affe0dae4c711b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x125 3585 bytes
font_01_sfnt_off0000254a.bin
afeb9e1e920aae3aca3f295f1bbccba46b16423dac14b1b5fde4b661de9198cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x254A 46764 bytes
font_02_sfnt_off00009b73.bin
5f96e1e90c4ef56487c91d02c05141dca0967f8e2bbd5d67be6c4f381f0afa79		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B73 62160 bytes
font_03_sfnt_off0001325b.bin
d375c22ace40f0b973d7308d85023b2e0e49d40dc51da45552d116868346475e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1325B 37232 bytes
font_04_sfnt_off00017dbd.bin
b661c2e877dd6b7625208ae148d736aedb24eda2d4f014262cbb7f958f538ca0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17DBD 71216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.