Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bc6cbe73e85abac…

MALICIOUS

PDF

285.3 KB Authoring application: PyPDF2
MD5: e96c94c35ab06e20b61230530ed3467d SHA-1: 53c2c99247389c1b414997b4386f4bf9731a1521 SHA-256: 6bc6cbe73e85abac0cf9df7f974c3de8ee6132b32f27fdb1101c060f614d4a1c
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript streams that are heavily obfuscated and utilize eval() calls, indicating an attempt to hide malicious code. The ML classifier strongly flagged this PDF as malicious, and the presence of exploit cluster signals further supports this. The primary function of the JavaScript appears to be downloading and executing a secondary payload, though the exact URLs are not directly extractable from the provided evidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9974

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
42b4366f811fda2212945ace4f6e1e7116a93e6dea6cab8f9fae62e7501c152d		 pdf-javascript-stream PDF /JS object 11 at offset 0x40B 95451 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0011_001.js
d2b3e11320485d0b8e080b25bd642ba8d2d43d3614ba9d92abcda3d6a231c1fe		 pdf-javascript-stream PDF /JS object 11 at offset 0x40B 94083 bytes
new_array_token_stage_000.js
c453f153b6474d074afcf6a5fd04e907070f403164d7222766cf2465fc80d3f9		 deobfuscated-js new-array token-map decoded JavaScript object 11 at offset 0x413 17011 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.