PDF malware analysis — malicious · 1ff3f43ab0849cad

MALICIOUS

PDF

4.0 KB

MD5: ad5dcb819939782a922d5930fcc14bd7 SHA-1: 27391f86292d379b899a078b46a1ebb3dc29ed5f SHA-256: 1ff3f43ab0849cad744e6ac767927499a1cc3ba8fcd6b428ddb6304e259ba482

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript uses an unescape() call, a common technique for obfuscating malicious code, and the ASCIIHexDecode filter is also present. The script appears to be designed to download and execute a second-stage payload, as suggested by the embedded string 'CYsoVyap.swf'.

Heuristics 5

unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Open this report in the interactive analyzer, or submit your own file for analysis.