PDF malware analysis — malicious · 3f6fbe6226638407

MALICIOUS

PDF

4.7 KB Created: 2010-06-16 08:34:22 Authoring application: Amyuni PDF Creator (via Amyuni PDF Converter version 2.50f)

MD5: 57979852d97aa000521ef393a58d249e SHA-1: 04c9614f2b04cc06813828a63853f22df8f15e3a SHA-256: 3f6fbe622663840766b75269eb073f0d19ea097f317b6b5b1996d8e7a6010f60

198 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: Malicious File

The PDF sample contains JavaScript with an eval() call, strongly indicating it's designed to execute arbitrary code. The 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_CORRELATED_MALICIOUS_JS' heuristics confirm this is a known malicious JavaScript exploit pattern within PDFs. The ML classifier also flagged it with high confidence. The script's obfuscated nature and the presence of exploit-related signals suggest it likely downloads and executes a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS

PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.