PDF malware analysis — malicious · 47174e1476ca2e0e

MALICIOUS

PDF

1.9 KB

MD5: 87ea56f1f365d6912754102f4f5e19a7 SHA-1: 5e96a8123ee032b6ceae114231d1882f1621e01d SHA-256: 47174e1476ca2e0e293febf356ee2a997b76f2528310c18c6575f9dcb9798a70

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The script utilizes unescape() and string concatenation to construct a payload, likely for downloading and executing a secondary stage. The PDF_FILTER_HEX heuristic with exploit indicators suggests the PDF itself may be exploiting a vulnerability. The reconstructed string from the script is 'unescape("a %u0c0c%u0c0c")'.

Heuristics 5

unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Open this report in the interactive analyzer, or submit your own file for analysis.