MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript/JScript
The PDF contains encrypted content and uses JavaScript functions like eval() and unescape(), indicating an attempt to obfuscate malicious code. The ML classifier also flagged this PDF as malicious. While the exact payload is hidden due to encryption and obfuscation, the techniques used suggest it's designed to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.6270
Heuristics 4
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
-
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LUREPDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Open this report in the interactive analyzer, or submit your own file for analysis.