Malicious PDF — malware analysis report

Static analysis result for SHA-256 6727df6f091add0d…

MALICIOUS

PDF

6.7 KB Created: ˜:ëdi‡‚ = 0ïR Authoring application: c«=N$Ĕ>0õR„ (via c«=N$ĔyKO²Ē¯:_…EÍ·`º”)
MD5: 39266a5595deb85803f8a45df7ea143a SHA-1: 66eceee0c6d20ebf516fb8c2d07d7a7c06478d54 SHA-256: 6727df6f091add0d2da639b61dea2987208667426676f2277db5e0ed5de6badc
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript, which is heavily obfuscated and likely responsible for downloading and executing a second-stage payload. The ML classifier and heuristics strongly indicate malicious intent, with the JavaScript action and encrypted nature of the PDF hiding the true payload. The presence of a JavaScript stream and the ML classification point towards a malicious document, likely delivered via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0024_001.js
9b34abbbd2d8526ef79f776fc24cb09fa561f60ecc564d42ee9884339473b688		 pdf-javascript-stream PDF /JS object 24 at offset 0x8CF 7184 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.