Malicious PDF — malware analysis report

Static analysis result for SHA-256 5760fb021fe7af77…

MALICIOUS

PDF

35.5 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: 05decf65e3b7e6afa5fc4ae420aecaae SHA-1: 4f4b8a922e539c8d73307e0771ee7ed15b678580 SHA-256: 5760fb021fe7af7702068763dbcf81b102a8b1dce0becbbf968549a834b67f73
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

This PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, PDF_EVAL, and PDF_UNESCAPE. The ML classifier also strongly flagged it as malicious. The JavaScript likely uses eval() and unescape() to deobfuscate and execute code, a common technique for downloading and running further malicious payloads. The presence of obfuscated script indicators further supports this. The confidence is high due to the strong ML signal and multiple JavaScript-related heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
8375fee1d0bec10c6cc9c29350108276c60b1be650f5fad06cd7458d2f0744e4		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0007_001.js
a7269b99a86bbbe23c9ee5ef1887ce79d0007c7cb0f809b5089f01ce027e37ec		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35039 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.