Malicious PDF — malware analysis report

Static analysis result for SHA-256 726b666b44a12373…

MALICIOUS

PDF

5.8 KB
MD5: 58375e91e0e59b178d6493bc2b836380 SHA-1: 9af773be8af13760798eb3da946dc5fb99085f40 SHA-256: 726b666b44a12373ea3fd648f0c21c366d18fc1acf1129ed10eb245a0944c085
174 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript and U3D content, triggering heuristics related to PDF JavaScript exploits and Adobe Reader 3D parser vulnerabilities. The embedded JavaScript is too truncated to determine its exact function, but the combination of indicators strongly suggests exploitation for client execution. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
02d4ffa69c353bd9830848447b7631e12b62c99762a5cf00b21c04a6f9c359b2		 pdf-javascript-stream PDF /JS object 15 at offset 0x7D4 55 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.