MALICIOUS
174
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
This PDF file was flagged as malicious by multiple heuristics, including ML classification and ClamAV detection, indicating it is a dropper. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT suggests that JavaScript is used to obfuscate and execute the malicious payload, likely downloading a second-stage artifact. The PDF_FILTER_HEX heuristic also indicates potential exploit indicators within the file structure.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 6
-
ClamAV: Pdf.Dropper.Agent-6296346-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-6296346-0
-
Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
Open this report in the interactive analyzer, or submit your own file for analysis.