PDF malware analysis — malicious · 447cd817672646ae

MALICIOUS

PDF

4.9 KB Authoring application: Xwapoxajiweciqe (via e3120Feuisawijijakitoxaxiy)

MD5: fd08b0394c8b828ab479b9bf6c15acff SHA-1: e309c8f94c6be2388b67e444894a20f53593a337 SHA-256: 447cd817672646aec634a834c2c9608d346b70d31bc7bf9d5d18d4749b7f15ea

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The PDF_PAGE_WORD_XOR_EVAL_STAGER rule suggests this JavaScript is designed to evaluate obfuscated code, a common technique for launching further malicious activity. The ML classifier strongly supports a malicious classification. Without further deobfuscation or network analysis, the exact payload and delivery mechanism remain unclear, but the intent is to execute arbitrary code.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `c8cf16b80cd9e076d8d404d9b9a80b3c930be01d111b0827a19c86b82ddf185b`	pdf-javascript-stream	PDF /JS object 11 at offset 0xE77	578 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.