Malicious PDF — malware analysis report

Static analysis result for SHA-256 6933dcb29180e9d5…

MALICIOUS

PDF

4.7 KB Authoring application: Maxikapkdezawqa (via Hiulafoninveqfo)
MD5: f77a6f6b3da0db713277f2bccdb4abe5 SHA-1: 9fc77c4a373d469f5daf9b058f0c47a21c2464e8 SHA-256: 6933dcb29180e9d58d82e5ced1080bd82fcdaaaa707f866ddf735840d3d26d0c
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript that is obfuscated but appears to be a stager. The script reconstructs a URL from concatenated strings and then downloads and executes a second-stage payload. The high-confidence ML classifier and specific heuristics confirm the malicious nature of the PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
f6a0c1bd57978680de5d0f9022f1518e477c973daee612e47411672868675b3d		 pdf-javascript-stream PDF /JS object 11 at offset 0xD0B 927 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.