PDF malware analysis — malicious · 6637a184304e4131

MALICIOUS

PDF

32.4 KB

MD5: 6f33907528de564f1a4bae90a9c29d8c SHA-1: 20384b4d741b16de170120cf9d9618945dce98bc SHA-256: 6637a184304e4131d85080b117f070a4d931b80e9721c43bd891550dea4f72be

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains embedded JavaScript with multiple eval() calls, a strong indicator of malicious intent. The ML classifier and PDF exploit heuristics confirm this, suggesting the JavaScript is designed to exploit a vulnerability and execute arbitrary code. The large size of the JavaScript stream and the presence of eval() suggest it's likely obfuscated and intended to download and run a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0032_000.js` `94e30582a57941034f2ab13ecfdbbbed75561e6aa4c239d7a0a92915d57dffab`	pdf-javascript-stream	PDF /JS object 32 at offset 0x2CA	3484881 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.