PDF malware analysis — malicious · 619387a7d2bfb9dd

MALICIOUS

PDF

16.9 KB

MD5: 74c7d0fd01df7a8c64a292da3aafff5b SHA-1: 28e03847b127cb1f905e98cb20709680c0e5728d SHA-256: 619387a7d2bfb9ddd12c1356aa280e9fa0c57d80a1e9b552585c78158996fad0

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript and utilizes an OpenAction, indicating an attempt to automatically execute code upon opening. The ML classifier strongly suggests malicious intent. While no specific URLs or hashes were extracted, the presence of JavaScript and the OpenAction points to a client-side execution attack, likely to download and run a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 5

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Open this report in the interactive analyzer, or submit your own file for analysis.