PDF malware analysis — malicious · 5294e705dd871015

MALICIOUS

PDF

43.3 KB Authoring application: PyPDF2

MD5: caa460f8565c7a03dba072a60e909e06 SHA-1: ff070d0b2cca6a9f7a7323ebff8757b3d3755425 SHA-256: 5294e705dd871015cfd7521c04f78cbc5826138123a4feaa5c0c5e6d729875fb

148 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains obfuscated JavaScript that utilizes ActiveXObject to download and execute a secondary payload. The heuristics indicate this is a downloader, and the ML classifier strongly supports a malicious verdict. The script's intent is to download and execute a second-stage payload, likely leading to further compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
PDF JavaScript ActiveX downloader high PDF_JS_ACTIVEX_DOWNLOADER

Decoded PDF JavaScript instantiates Windows ActiveX/COM objects to download a payload over HTTP, write it through ADODB.Stream, and execute it through WScript.Shell/rundll32-style process launch. This is commodity downloader behavior rather than a specific Acrobat CVE trigger.
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0004_000.js` `11101a7a8761284a83e47bf5c34b18df21eeba3d2685db4b65f357afe398f713`	pdf-javascript-stream	PDF /JS object 4 at offset 0x13D	30227 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).
`javascript_obj0004_001.js` `fb1418ac75a1cfc33d47a0f3be2bdb1a32b947cb54a938cd8be949b3a6d8acc2`	pdf-javascript-stream	PDF /JS object 4 at offset 0x13D	1284 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s).
`embedded_pdf_script_0000017d.bin` `8579fe3894a920c7ab0e77d67d4500a6acc06fa0fcafb93199039ca4501fc864`	pdf-embedded-script	PDF decompressed stream script payload at offset 0x17D	44293 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 40 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.