PDF malware analysis — malicious · 6fd71c5f5bc50f3b

MALICIOUS

PDF

7.3 KB Authoring application: Bofatezozinefaxfa (via 6d7a6Vogewojixariuawi)

MD5: 37301f9517466160dd4148aff591b88d SHA-1: ba853707f800c0b6f819570b7359305c1b6a7cdb SHA-256: 6fd71c5f5bc50f3b0f2670017a0d114ba75db4665d9baf2fbedf5caeff0a73ac

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript, indicated by the 'PDF_OBFUSCATED_NAME_OBJECT' heuristic. The embedded JavaScript stream, 'javascript_obj0011_000.js', is likely responsible for downloading and executing a secondary payload. The ML classifier also flagged this PDF as malicious with a high probability. Given these factors, the primary attack pattern is likely spearphishing attachment, leading to the execution of malicious JavaScript.

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 3

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `ca838ab153ea9de4fff1e74bdd0848fd720f71bc6fbee4425be234136cd19b41`	pdf-javascript-stream	PDF /JS object 11 at offset 0x1349	2325 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.