PDF malware analysis — malicious · 5949eadac21602b6

MALICIOUS

PDF

846.2 KB Authoring application: Google

MD5: 1e020a0e4b2b9e8346a5b2e440841525 SHA-1: 36b5716b8c82dbd3c7a5366ee40b992afef4010a SHA-256: 5949eadac21602b6a9e86b10c2faec7a2dfb37f74d2e4361c3cc36e643557a43

66 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains JavaScript actions and a URI pointing to an email address, suggesting a phishing or scam attempt. The 'PDF_IMAGE_ONLY_LURE' heuristic indicates the document is designed to appear as legitimate content while hiding its malicious intent. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

Nyx PDF Classifier malicious score 0.9514

Heuristics 3

PDF paints image(s) but contains no text operators medium PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
External URI low PDF_URI

PDF contains an external URL action

Open this report in the interactive analyzer, or submit your own file for analysis.