PDF malware analysis — malicious · 3a1562e28f91e8a5

MALICIOUS

PDF

42.5 KB Created: ¹F¦ðÁªÉ´0360264³ð¿(ý·<ö005

MD5: f714c79a93636520f4eddaf47cd4f8f2 SHA-1: dee6a31d34fdb6c3a7a5fb215dfd9b807c74c776 SHA-256: 3a1562e28f91e8a5601fcec4b11e20114d19b05c2717a208284018edf6dd7550

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1553.005 Mark-of-the-Web Bypass

The PDF was flagged as malicious by an ML classifier and contains embedded JavaScript, which is used to conceal the actual payload. The presence of PDF_ENCRYPTED_WITH_JS indicates that the JavaScript is likely responsible for decrypting or deobfuscating the malicious content, making it difficult for static analysis. No document body text was available for further analysis.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0021_000.js` `f801132e658b99cb78e3cccd37dfbb9693e336d161500faaaeb5322a3166d62b`	pdf-javascript-stream	PDF /JS object 21 at offset 0x177D	158 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.