PDF malware analysis — malicious · 480351dd1330f1c7

MALICIOUS

PDF

5.5 KB Created: 1¯`ALòõMÉ#× Authoring application: &Ëï9RáöSÈ'Ð (via &Ëï9Ráaò]·ÜtvÓ¦I)²@Ã)

MD5: 3a2a3d803d964066762fbf673aeab04a SHA-1: 462ef08fa9757c137afcd976c71f554ceedd64f4 SHA-256: 480351dd1330f1c7277ac0ae583bd3cf7bf0445c7fd69444c27e487f7957e922

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1553.004 Subversion: Mark-of-the-Web Bypass

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The presence of PDF_ENCRYPTED_WITH_JS indicates that the PDF's content is encrypted and likely uses JavaScript to decrypt and execute a payload, hiding it from static analysis. The obfuscated document body further supports this. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.