PDF malware analysis — malicious · 3696d7feb4cb8065

MALICIOUS

PDF

12.0 KB

MD5: a593f6563eca0ef3f21fe1aa0c08e204 SHA-1: 1ae0d9ac1abe53d5efa47ae65adabff9b73431a5 SHA-256: 3696d7feb4cb8065427d0ff75f795857a9de98ccb2f1c2d54139b428e663ae98

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detection and high-severity heuristic firings indicate this PDF is malicious. Specifically, the 'PDF_METADATA_EVAL_STAGER' heuristic suggests that JavaScript within the PDF's metadata is used to decode and execute a payload. The embedded JavaScript stream further supports this, likely acting as the stager to download and run a second-stage exploit or malware. The ML classifier's high confidence score reinforces the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER

PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js` `c3c9ca943d4a90d60e317d03cb0ae72d1f7821e24fd92ae08c625bf6b840a2f3`	pdf-javascript-stream	PDF /JS object 76 at offset 0x2DB7	331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.