Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a2208784f9302b5…

MALICIOUS

PDF

5.1 KB Created: ×Ê9_ŸÏù•6ܾ[‘ Authoring application: E—“k_ŒÏï–,ܧ_ (via E—“k_Œ®…ã"£à ÐQð]:àòù¡)
MD5: 42a8b7e2e5adaadcb27e23451b682fca SHA-1: 8f2a579962dd68ce1c2ea520b9a290405251c50d SHA-256: 4a2208784f9302b5357b3d58d688073f5999bb5c4e96768c3023859d7550b84f
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript and is encrypted with an /OpenAction, indicating that the payload is hidden from static analysis and likely executed via JavaScript upon opening. This suggests a downloader or exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.