PDF malware analysis — malicious · 3c80f4509740d18d

MALICIOUS

PDF

5.2 KB

MD5: c5440c757d0932a6b4c8b41ef63116f9 SHA-1: 39d04107a62d43b59207576adfe3ae11565822ba SHA-256: 3c80f4509740d18d50f331a55aef54e338c264907501d3fa0f7fd7d7d246c129

124 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and RichMedia (Flash) content, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, PDF_RICHMEDIA, and PDF_EVAL. The presence of ASCIIHexDecode filter with exploit indicators suggests an attempt to obfuscate malicious code. The embedded file 'aHemNBymoE.swf' is likely the payload or a component thereof. The eval() call within the JavaScript is a strong indicator of dynamic code execution, likely to exploit a vulnerability or download a secondary payload.

Heuristics 6

RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Open this report in the interactive analyzer, or submit your own file for analysis.