Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c46e8f35ee5663c…

MALICIOUS

PDF

903.6 KB
MD5: 6624b03b2421f2813c463b22b48b9574 SHA-1: 45394765f8da676b8bd89d589ccd641b9c32da1e SHA-256: 4c46e8f35ee5663cff59edcf6d5b9f51f491baf37079d33f8a24417c85a5cd9d
182 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

This PDF file was flagged as malicious by a machine learning classifier and exhibits multiple high-severity heuristic firings related to JavaScript exploits and XFA forms. The embedded JavaScript stream, though heavily obfuscated, is indicative of an exploit attempting to hide its payload. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JS_EXPLOIT_CLUSTER strongly suggests the JavaScript is used to bypass security measures and deliver a secondary exploit or payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
0a7bff8908d2461d466266ad9f1781b037fbfa64aa6e13aff4c3b478d444f8f3		 pdf-javascript-stream PDF /JS object 29 at offset 0x1E2C 8603 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.