Malicious PDF — malware analysis report

Static analysis result for SHA-256 698ccca7c6b231eb…

MALICIOUS

PDF

33.8 KB Created: 2009-12-28 19:38:52 +03:00 Authoring application: sLong (via 4180b5120ca2e09eaa3bd2ebf4b53667)
MD5: 3fdf9cf25fa0db206194213af53f994a SHA-1: d6a19ad8d949f7da6fdc57f3201155e70e85aa3d SHA-256: 698ccca7c6b231eb0780ab41417d5173a76d6c45a2f68b0e38e53d1126de6228
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1140 Deobfuscate/Decode Files or Information

The PDF contains embedded JavaScript streams, one of which is heavily obfuscated and uses eval() to execute its content. This pattern strongly suggests the script is designed to deobfuscate and run malicious code, likely downloading a secondary payload. The ML classifier and ClamAV heuristics further confirm its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0016_000.js
1a66fef6724d211b244d7fd00491bafe31b9f60036c156ccd5c16954669a2b53		 pdf-javascript-stream PDF /JS object 16 at offset 0x206B 35939 bytes
javascript_obj0018_001.js
2598d77534bb2a3a388810919873f090ff9b8df26ec3f7a812ff40c6012ced32		 pdf-javascript-stream PDF /JS object 18 at offset 0x7C44 1417 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.