Malicious PDF — malware analysis report

Static analysis result for SHA-256 52675d24b3e28538…

MALICIOUS

PDF

8.0 KB
MD5: d121d4a929e7f5b240150ae360146260 SHA-1: 1da5e09802946e2894ea6b14fdbb47d4155a1b8a SHA-256: 52675d24b3e285388e8e50e0aceda3de61abbfe1f0a49515713f7567f37fabf3
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file contains embedded JavaScript, including calls to eval() and unescape(), which are commonly used to obfuscate malicious code. The critical heuristic 'PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER' indicates a stager mechanism within the annotation subject. The ML classifier and ClamAV detection strongly suggest malicious intent, likely to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • Annotation subject percent-decoding eval stager critical PDF_ANNOT_SUBJECT_MARKER_EVAL_STAGER
    OpenAction JavaScript forces annotation enumeration, reads an annotation /Subject payload with getAnnots(), rewrites marker bytes into percent escapes, decodes it with unescape(), and dispatches it through eval. This is a high-confidence exploit-kit staging pattern. It is intentionally not mapped to CVE-2009-1492 unless getAnnots() itself carries the crafted integer or long argument shape for that vulnerability.
  • ClamAV: Pdf.Exploit.Agent-35912 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35912
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
7218a1c68060953321573daa035b16f5f32928ce25a9eb656690dbe78cd9464e		 pdf-javascript-stream PDF /JS object 7 at offset 0x19F 201 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
deobfuscated.js
368fed861246de8d81cbb35b27fb6011c3eca196a8432c1263c80b942a4f9361		 deobfuscated-js PDF JavaScript deobfuscation pass 8145 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.