Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bf188f7ce663a35…

MALICIOUS

PDF

147.8 KB
MD5: c014bd0d36f240e23089772884120b61 SHA-1: 67c1c923c0a57086b1e4b212035bbf49eb7f5cb9 SHA-256: 5bf188f7ce663a3523c94295388e0b461f038c09fbe306bc754195e4c2a47ceb
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains multiple embedded JavaScript streams and XFA form data, triggering critical heuristics for JavaScript exploits and eval() calls. This indicates the document is designed to execute malicious code, likely downloading and running a secondary payload. The presence of obfuscated JavaScript and exploit cluster signals strongly suggests a malicious intent, though a specific family cannot be confidently identified.

Machine Learning

  • Nyx PDF Classifier clean score 0.0872

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/
    • http://www.w3.org/1999/xhtml
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00000775.js
382beb763ed1acfe6e3091bd67b6b3ab5f47a72f68d3e7d2c93fb838d22ad19b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x775 1634 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_004_off000009ac.js
30c93741d788434930b3dc451ec85f07ef5aea50c1dfe8c88829c4198544f5de		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9AC 1533 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_044_off0000f3e6.bin
0877afcafff88808b1896fd7e130ae48c3b44252144db9791e3c61a155f7f24e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF3E6 18912 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
objstm_0063_00.bin
2c41215fe6c15249e564baf3444f23b8303b7f95725f0371e5b717e3cb6df45b		 pdf-objstm-decoded PDF /ObjStm 63 0 obj (inflated) 12270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.