PDF malware analysis — malicious · 6fca509d8e529910

MALICIOUS

PDF

1.4 KB

MD5: 6a988eadad9bb73aa8d822cd0a5e7750 SHA-1: 7ba8d01e01497b38b6c35b01064f1f17dd747c6d SHA-256: 6fca509d8e529910fa3d9de0f3e62c0edccbfb6cbd6e68d741d8c458b3dc5a44

76 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript and is flagged by a machine learning classifier as malicious. The JavaScript action and embedded stream, combined with the ASCIIHexDecode filter, suggest an attempt to exploit a client-side vulnerability for execution. The presence of 'CYsoVyap.swf' indicates a likely second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Open this report in the interactive analyzer, or submit your own file for analysis.