PDF malware analysis — malicious · 42fae9e589567732

MALICIOUS

PDF

3.6 KB

MD5: bbfdf1ccf7d8036c6b4d2253bdf88467 SHA-1: effc8cd43a31b375df7b115da25a252e87978a1c SHA-256: 42fae9e5895677321e880d5514489ee0192774ea5f30cc8e417fbe05d4d5a3e1

124 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript T1204.002 Malicious JavaScript

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The JavaScript uses `unescape()` and `eval()` functions, suggesting it is obfuscated and intended to execute arbitrary code. The presence of `ASCIIHexDecode` filter further supports exploitability. The script content appears to be a deobfuscated string that likely leads to the download and execution of a malicious payload, though the exact URL or payload is not directly visible in the provided excerpt.

Heuristics 6

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Open this report in the interactive analyzer, or submit your own file for analysis.