Malicious PDF — malware analysis report

Static analysis result for SHA-256 579e509f351fb073…

MALICIOUS

PDF

1.95 MB Created: 2009-11-07 00:56:24 +03:00 Authoring application: manyTypeAre (via be100b06aa2c4c5164f9f1c4a4fe2781)
MD5: ff0c4c68b8b2c0c2c218e596b74c954f SHA-1: fd76dca8670ff8151b116bf7d303557399707565 SHA-256: 579e509f351fb07317520a9aaf9ae7559fd437fa1599315735d2941a29aff644
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

This PDF file contains embedded JavaScript, indicated by multiple PDF_JAVASCRIPT and PDF_JS heuristic firings. The presence of a high-severity PDF_EVAL rule suggests the script uses eval() to execute arbitrary code, a common technique for downloading and running second-stage malware. The ML classifier also strongly flagged this PDF as malicious. The polyglot nature, with an embedded PDF, further increases suspicion.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0021_000.js
afe7e1c31982e5550806bca597003867226473058b1c2608d8fc964f87b4cee6		 pdf-javascript-stream PDF /JS object 21 at offset 0x54A8 4096 bytes
javascript_obj0022_001.js
4061395a9a7901377cb0a869e5a91f402ce18a6b4f371d9dbdd0e17c35619249		 pdf-javascript-stream PDF /JS object 22 at offset 0xE74D 40 bytes
polyglot_child_pdf_off00001f92.pdf
6efcc07115c4be928239fd2cc59accddb608b89eb6ec8ea3a615e625d57ed686		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1F92 2039918 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.