Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 5bfe7a756fcf6072…

MALICIOUS

PDF / .SWA

34.7 KB
MD5: ac11641ac29c0ba9adf03f7f87495c21 SHA-1: 4afa12fb710a1b1b94e43f4af5f4ee2e83b2e9a3 SHA-256: 5bfe7a756fcf6072121e7c4e8c6014a0d9545a22858b1d55e76cc3014a91715f
74 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file flagged as malicious by an ML classifier. Static analysis detected JavaScript actions and embedded JS streams, along with ASCIIHexDecode and ASCII85Decode filters, indicating an attempt to exploit a PDF vulnerability. The presence of JavaScript suggests it's likely used to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Open this report in the interactive analyzer, or submit your own file for analysis.