PDF malware analysis — malicious · 20e44fe2e5d4161e

MALICIOUS

PDF

5.37 MB Created: 2007-10-04 23:47:02 Authoring application: ESP Ghostscript 815.04

MD5: a3a6a141ec8423ef8eeb3f64534934ca SHA-1: b5d22414aaf267e6e6d366115910325beb8dd3fc SHA-256: 20e44fe2e5d4161e907e1c99bc963b45b71bde8670a59e0d44c487c0be283c97

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by the PDF_JS and PDF_EMBEDDED_SCRIPT_PAYLOAD heuristics. The PDF_UNESCAPE heuristic suggests that the script may be obfuscated. The embedded script is likely designed to download and execute a second-stage payload. The presence of these indicators leads to a moderate confidence assessment.

Machine Learning

Nyx PDF Classifier clean score 0.0006

Heuristics 4

unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.apple.com/DTDs/PropertyList-1.0.dtd

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0055f6fc.bin` `1666799335b1d77991fe8561686e31eaf42affaf366be3730a219a3edadb21b4`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x55F6FC	5634179 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.