PDF malware analysis — malicious · 61840f1b35454861

MALICIOUS

PDF

51.5 KB Created: 2009-11-23 23:20:25 +03:00 Authoring application: toBeliefUse (via 0ea2cf87ee4b92cb47512acffc14da9d)

MD5: a044870bf16293ebdd826a891988283d SHA-1: 4b4a2245d9abd34a8471e5d71b4c9740e0b0bd17 SHA-256: 61840f1b354548610995017501affb3d309e78dcd4f24f8c920fd91d37fc1a81

154 Risk Score

Machine Learning

Nyx PDF Classifier malicious score 0.9982

Heuristics 5

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0025_000.js` `10141794a0c75a233cf2d79b1aef4d75123d0e07bd75e6a795d8f09e6e9c8a94`	pdf-javascript-stream	PDF /JS object 25 at offset 0x38DA	4096 bytes
`javascript_obj0026_001.js` `c174c5e88cdfc1a2c0b64b28c98ea7a364213d2a42c7e1da78f637689339a341`	pdf-javascript-stream	PDF /JS object 26 at offset 0xC717	39 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.