PDF malware analysis — malicious · 437d3efc166ea5c6

MALICIOUS

PDF

47.8 KB Created: 2009-12-02 20:13:35 +03:00 Authoring application: overMore (via efdbf45bfc950fc5a2ac0e1511a354b8)

MD5: ea356b0be0eee8e4d588e9826483171a SHA-1: ebbdf00c57f07ae73c8ed91d8e7addb02098d434 SHA-256: 437d3efc166ea5c6ed30b7936019307a22189f51a1313ed597b90c4fa722ede5

96 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, including a high-confidence eval() call. The JavaScript appears to be obfuscated, but a reconstructed string indicates it attempts to sanitize input and then execute it. This suggests the script is designed to download and execute a second-stage payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0015_000.js` `5b73eeda8e5619941f7609515c9c9c9662c1b6fe7a04556315f5bfd5836bb2f9`	pdf-javascript-stream	PDF /JS object 15 at offset 0x28E1	4096 bytes
`javascript_obj0016_001.js` `660637f7f985b3b8beb9a1dcb5475ddf688d2069e6e809295b77b41637b0c0f3`	pdf-javascript-stream	PDF /JS object 16 at offset 0xB92E	41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.