PDF malware analysis — malicious · 2f6adfcff0b3aacb

MALICIOUS

PDF

3.6 KB

MD5: 7e73aee0b46ae85128713729fc531f3c SHA-1: 3eb92e45deca8a77ce176f9535fd1b0cc4dd4f00 SHA-256: 2f6adfcff0b3aacbc8a7b29806e8638e0039053fb690a342a1fe1167a72777b5

84 Risk Score

Malware Insights

MITRE ATT&CK

T1027 Obfuscated Files or Information T1140 Deobfuscate/Decode Files or Information

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The script utilizes unescape() and ASCIIHexDecode, suggesting an attempt to deobfuscate malicious content. The reconstructed string 'unescape(a " " " " % u 0 c0 c % u 0 c0 c' is likely part of this deobfuscation process, aiming to download and execute a second-stage payload.

Heuristics 5

unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Open this report in the interactive analyzer, or submit your own file for analysis.