MALICIOUS
142
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1559.001 Component Object Model Hijacking
The PDF contains embedded JavaScript and is encrypted, indicating an attempt to conceal malicious content. The presence of U3D/3D content is also flagged as a potential indicator for CVE-related exploits in Adobe Reader. The ML classifier strongly suggests maliciousness. The exact payload and delivery mechanism are obscured by encryption and JavaScript, preventing a more specific analysis.
Machine Learning
- Nyx PDF Classifier malicious score 0.9919
Heuristics 6
-
U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high PDF_U3D_CVE_RELATEDPDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
Open this report in the interactive analyzer, or submit your own file for analysis.