Malicious PDF — malware analysis report

Static analysis result for SHA-256 402321a0e84aa01e…

MALICIOUS

PDF

37.2 KB Authoring application: PyPDF2
MD5: a95085e613d0508743bb4b591cc4d61f SHA-1: bd340eb985cbc9c98914c3f2fa182b3f01e5978b SHA-256: 402321a0e84aa01ea7d8527be955717d1514bfe977dce6a9f0d247b39876ff94
90 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A high-severity heuristic also fired for PDF_EVAL, suggesting the use of eval() within the JavaScript. This pattern is commonly used to obfuscate malicious code and download secondary payloads. The ML classifier strongly flagged this PDF as malicious. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
364d98365947b39f6f3de8a951a261586c95b63218b35f1a092635619c85a0fd		 pdf-javascript-stream PDF /JS object 4 at offset 0xF9 980 bytes
javascript_obj0004_001.js
34a8dd3abbd9891ac611bebc26c50f1a9f62482dfa38c395d7e11f63e4226088		 pdf-javascript-stream PDF /JS object 4 at offset 0xF9 86 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.