PDF malware analysis — malicious · 52de3b7dac1fc037

MALICIOUS

PDF

52.0 KB Created: 2009-12-09 22:19:34 +03:00 Authoring application: dontForm (via bd226797c6f94e77d81ea064be12e2ee)

MD5: b48ca8f2f3475f27d0693f98ff1080a4 SHA-1: 8496c923a0f4cc23824564960fe78c98a083b441 SHA-256: 52de3b7dac1fc0379299d0d4913bf7995a4896fb63266d6b22f5c22c5b068883

94 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, including a call to eval(), which is a strong indicator of malicious intent. The JavaScript appears to be obfuscated, but the presence of eval() suggests it's designed to execute arbitrary code. This is likely a downloader for a second-stage payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 0.9976

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0029_000.js` `99d2cc6dcf78d99c8ef343e5e332df02e6bbe7d72a682e26578f7bf6824bdb0e`	pdf-javascript-stream	PDF /JS object 29 at offset 0x3B75	4096 bytes
`javascript_obj0030_001.js` `28952cd31431c50a45f44e484a8a713c81ebd87ee64b4113fc544a6c94e98722`	pdf-javascript-stream	PDF /JS object 30 at offset 0xC8A2	38 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.