Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c57ec147805d9bb…

MALICIOUS

PDF

31.3 KB
MD5: 914bd85b00ca6749781f086ecbcea16b SHA-1: 0011d35e40b200d2899571e62b95c5c15125138c SHA-256: 6c57ec147805d9bb0a62c1095f19748b333ff8c3d406e30e7bf3808b4b59119b
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that utilizes an eval() function, a common indicator of exploit activity. The ML classifier strongly suggests maliciousness. The JavaScript stream, though heavily obfuscated and truncated, is the primary mechanism for executing malicious code, likely downloading and executing a secondary payload. The presence of PDF-specific exploit cluster heuristics further supports this conclusion.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
f209284c09c7fc1029ebc166ebc2480c7a2f6167e9208bdc43a4272e1868036d		 pdf-javascript-stream PDF /JS object 32 at offset 0x2CA 3048478 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.