Malicious PDF — malware analysis report

Static analysis result for SHA-256 2738e7a4495c028f…

MALICIOUS

PDF

10.9 KB First seen: 2021-01-15
MD5: df1d7cbc7b6f11e92d3c216b19770a88 SHA-1: a16eaa0f83d56791d2be719f1e55dbc8e0e956a7 SHA-256: 2738e7a4495c028f96d69c768a7c2428281dcfa1fc04ad6b76d7e3096e72a3b9
166 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.