Malicious PDF — malware analysis report

Static analysis result for SHA-256 71db7979a0098a4f…

MALICIOUS

PDF

7.1 KB Authoring application: ÑñA7¨)£@ó[ïEN–Æ%Æv=铀@à
MD5: b00f52bcc96a437857f90fbae5325fab SHA-1: f01895ee87822e98ec5a071d5a5f48b27a01f086 SHA-256: 71db7979a0098a4f385d367831c56cd5538e575aaef2f73362d6ec68dca6ed20
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file is flagged as malicious by an ML classifier and contains embedded JavaScript, which is used to obscure malicious content. The document body mimics a pension policy summary to deceive the user. The presence of JavaScript actions and encrypted content suggests the script is likely used to download and execute a secondary payload, a common tactic for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 3

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
22cf60f31b71c64f28eb353329f65991b5fd5756dc5d55901c6e1cf35dd0d495		 pdf-javascript-stream PDF /JS object 7 at offset 0x208 47 bytes
Preview script
First 1,000 lines of the extracted script
this.pageNum = 0;this.zoomType = zoomtype.fitP;
javascript_obj0012_000.js
5129f9294e66c180ad21a60bd9e4e68a59895ea312748754d544ed1364cd0f9b		 pdf-javascript-stream PDF /JS object 12 at offset 0x17DB 47 bytes
Preview script
First 1,000 lines of the extracted script
��=<Ym��� ���$�u� �W ����֮4�\𖔧�]�n }��hA0d�

Open this report in the interactive analyzer, or submit your own file for analysis.