Malicious PDF — malware analysis report

Static analysis result for SHA-256 56e29c932fcd2466…

MALICIOUS

PDF

19.66 MB
MD5: a93819884a9e9928c511ecec4c168ead SHA-1: bd962a5adcb2d175c766cc7e22badf72a52fd392 SHA-256: 56e29c932fcd24667bfbee1ada1710ba0d1b8414be6a4e149d37bd80a00f1566
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file exhibits multiple high-severity heuristic firings related to JavaScript usage and encryption, indicating an attempt to conceal malicious content. The ML classifier strongly flagged this PDF as malicious. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT suggests that embedded JavaScript is used to decrypt or execute the actual payload, which is hidden from standard static analysis. This points to a delivery mechanism designed to bypass initial security checks.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9927

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Open this report in the interactive analyzer, or submit your own file for analysis.