Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ba366c8a76470ce…

MALICIOUS

PDF

33.7 KB Created: œø¨·%âÀY= ¢ÿÅåÞ8—ð Authoring application: &ÆÊÛ-õ±òIi_Z“¿ (via &ÆÊÈ-õ»òLi^V“¨î§)
MD5: 151d0609c15fa786bd9e0ae4b610713f SHA-1: 4277fbe7613c0d746617317c4c16e75408d9842f SHA-256: 6ba366c8a76470ce89d3ea0cd80deb736111258ea151c275c48db4d82a54c6ba
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript is obfuscated but appears to be involved in hiding content and potentially executing further malicious actions. The presence of encrypted content alongside JavaScript suggests an attempt to evade static analysis and deliver a payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
1ada7bb3e773daa47ff6072b889cf123795bcc40a9f4a991a2873b859cb3d19a		 pdf-javascript-stream PDF /JS object 8 at offset 0x4EE 2047 bytes
javascript_obj0009_000.js
54530993ad29296c01a309517b49c3a732e668dc6d4c42c23560f1a0b545d81b		 pdf-javascript-stream PDF /JS object 9 at offset 0x3B7 31860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.