Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f7775592c857d5a…

MALICIOUS

PDF

81.5 KB Created: 2009-08-22 11:11:20 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: c3654be6393d20809ceb04065172ee67 SHA-1: d82f65d602970c6a99c05c83efb4284e3a1851cb SHA-256: 1f7775592c857d5a4c4e216c2e9a77adb3986920ed5ba05ea7c7c3e04f48f01b
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/Shell Script Execution T1559.001 Component Object Model Hijacking

The PDF file contains embedded JavaScript, with a high-confidence heuristic firing for an eval() call. This suggests the script is designed to execute arbitrary code. The ML classifier also flagged the PDF as malicious with a high score. The presence of multiple JavaScript streams indicates a complex execution chain, likely involving obfuscation and a second-stage payload download. The specific intent of the JavaScript is not fully discernible due to potential obfuscation, but the overall pattern points to a malicious exploit delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9836

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0040_000.js
585d0f88e0a1e1ccc638acab75dfdd6b28e75b717935d654f653642e1a27bc09		 pdf-javascript-stream PDF /JS object 40 at offset 0x114F6 67 bytes
javascript_obj0041_001.js
7fb3ca635c62e0e327b3834bee8fece101eecb988fe0402ec1e1cdc8ea12225a		 pdf-javascript-stream PDF /JS object 41 at offset 0x1157F 22789 bytes
javascript_obj0042_002.js
d16a12e27daa84a041280b40178ad799af15985b81b1e983585ea60cc10df12e		 pdf-javascript-stream PDF /JS object 42 at offset 0x13F6A 247 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.