Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a9b182c3cf67363…

MALICIOUS

PDF

94.3 KB Authoring application: PyPDF2
MD5: a52d06c13e0a4ef173466ae0888fcac1 SHA-1: 7a12b0113bf7f88213fda3072b93205326c5edd4 SHA-256: 3a9b182c3cf6736333c66d46215f1d228d0f770d64934251e769aec0b3999cd9
194 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, which is flagged by multiple heuristics including a high-severity eval() call and ML classification. The ClamAV signature 'Txt.Downloader.Nemucod-6769957-0' indicates the extracted artifact is a downloader. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9792

Heuristics 6

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
b783fcda296dffea2ebef0fe1f58faf3097d4db81fc6812910ff49ffb3961082		 pdf-javascript-stream PDF /JS object 5 at offset 0x351 13483 bytes
Detection
ClamAV: Txt.Downloader.Nemucod-6769957-0
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_000.js
f16717b874fe20e658a81571a55bdcf523400ea8faab5cd1b75ccc8f82f358b9		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x419 7126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
d7f1b4b331d5948e0ae7e1f9ca577d60408940150b29c45648cb8acfb29e6ed6		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x3A3 96403 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 eval/decoder/string-building token(s).
legacy_pdfkit_stage_002.js
5b94c03cfa399da0f2f2cb723cdb639c682bcdafba97e3f67e445e195fc505e1		 deobfuscated-js split-join delimiter stripped JavaScript at offset 0x447 90064 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 shell/COM execution token(s). Carved artifact contains 27 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.