Malicious PDF — malware analysis report

Static analysis result for SHA-256 687cd5c1789b50af…

MALICIOUS

PDF

10.9 KB First seen: 2021-01-15
MD5: 47584256245033b4947eae20b3680839 SHA-1: 0f01cd8708cb406a0dc8d3a1ef3d92a34dac281d SHA-256: 687cd5c1789b50afe0357dc3eb18b0335e1f4afc113165a5fdef71608fa7e663
166 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT
    A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.