Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f49bc28128b4efd…

MALICIOUS

PDF

2.0 KB
MD5: f8526d32156f3241b192e2cf4f1b0a1e SHA-1: e3da35ccb215111626c89e2200d9921ace5beb21 SHA-256: 2f49bc28128b4efd1d5f06bc5c217f3fac77026b10c665e0082f1ea5b178bf95
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier strongly flags this PDF as malicious. The JavaScript is likely responsible for executing a malicious payload, as suggested by the unescape() call and the suspicious extracted JavaScript files. The exact intent of the script is not fully discernible due to potential obfuscation, but it is a common delivery mechanism for further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj263984_000.js
65be9aebbcb307884e39c3cfa16572597c2721fec9c39f7a46595de114847817		 pdf-javascript-stream PDF /JS object 263984 at offset 0x197 6903 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
javascript_obj263985_001.js
3af7971c08eeb18b59edf4a7d0cceeb4fdb4f16d2c5d4d812143e5c487a04b8d		 pdf-javascript-stream PDF /JS object 263985 at offset 0x6A9 154 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.