Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fd43f0ced5a1e50…

MALICIOUS

PDF

37.6 KB Created: i]1Šœþ¯“²®-Ãew=KG:ՑKÆð Authoring application: Әù­¼ŸÁ€ö†U( (via Әê­¼ŸË€ó‡U$lx)
MD5: 92ab73ae847e06373532b5c416144d5d SHA-1: cea0c578aa18fe5e9ca1b442b5a95da857b47417 SHA-256: 5fd43f0ced5a1e50bda9ae186186d7e5e59c4abbafe9031251468d0cb2ec005d
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains multiple JavaScript streams, with one being heavily obfuscated and truncated. The presence of PDF_ENCRYPTED_WITH_JS and ML_NYX_PDF_MALICIOUS heuristics indicates malicious intent. The JavaScript likely attempts to download and execute a secondary payload, a common technique for initial access via spearphishing attachments.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
146b962c8db6dec29be729911ac5db415c6cd709b8848ee8ab8ed1449ea787b3		 pdf-javascript-stream PDF /JS object 8 at offset 0x4F6 2047 bytes
javascript_obj0009_000.js
b09149a554553ca3db54e3c5d0b70a268c5bce09ec67ff5a0761515e15ef8fec		 pdf-javascript-stream PDF /JS object 9 at offset 0x3CD 35788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.