PDF malware analysis — malicious · 302c84a4505ed444

MALICIOUS

PDF

1.2 KB

MD5: 0a9a2f075c86c9929e2ba6500b347474 SHA-1: 773e71e7a2839ec8f5105aef1402cc72dbcee0eb SHA-256: 302c84a4505ed4440cbbc156dcf5b1455d0ff60f22306d2c53a1665a58a3b10e

106 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious File

The PDF file contains embedded JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER heuristic indicates that the annotation subject is used to launch an evaluation stager. This suggests the JavaScript is designed to execute arbitrary code, likely downloading and executing a secondary payload. The ML classifier strongly supports a malicious verdict.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER

OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `bedd676af9bf2e3ca07f9e3a10d07bc561e9745801f30653ef176c0c1e7620a3`	pdf-javascript-stream	PDF /JS object 7 at offset 0x1A4	336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.