Malicious PDF — malware analysis report

Static analysis result for SHA-256 6259d73dd79670a2…

MALICIOUS

PDF

32.0 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: 00d02ed7fe987f47b77b13768afaea39 SHA-1: abca2f12d0dba1badbfcd1b281626b765e45de7b SHA-256: 6259d73dd79670a23e81025508a92dd7115e555d6587ec325736560a69231228
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains heavily obfuscated JavaScript streams that are flagged as an exploit cluster. The JavaScript is designed to download and execute a second-stage payload, indicated by the use of `eval` and string manipulation to construct commands. The ML classifier strongly suggests malicious intent, and the presence of JavaScript points to T1059.007. Given the nature of PDF exploits, T1203 is also relevant, and T1566.001 is inferred as the likely initial access vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
cc6968a6ba024264f7569b6297052264fcf720ee5fe8dce988897f7b1c238ed4		 pdf-javascript-stream PDF /JS object 7 at offset 0x223 31584 bytes
javascript_obj0007_001.js
c946739f71226620ddb1b6f21b1af13ef3507b9b77784da8d5accec9a68d4135		 pdf-javascript-stream PDF /JS object 7 at offset 0x223 31221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.