PDF malware analysis — malicious · 72ed6a8abab2778b

MALICIOUS

PDF

9.7 KB Created: 2008-11-10 18:42:11 +01:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.1.0)

MD5: e51f24ec2e3d2cf71aa1ba74a7210841 SHA-1: 4307123b6d5408eec81c65f570352ec1e29596e7 SHA-256: 72ed6a8abab2778b0efb97eadf0e16259ecd161f6bf479541b4bb138f6d2c738

210 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript that uses eval() and unescape() functions, indicating an attempt to hide malicious code. The ML classifier and heuristic firings strongly suggest this is a malicious PDF exploiting a known cluster of JavaScript vulnerabilities. The script is designed to decode and execute a secondary payload, likely for further system compromise.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 8

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0022_000.js` `4ec3f9036f7a040d7d59b0eada0b46c23ab8b0c21d8779d4d6dd460e710b5201`	pdf-javascript-stream	PDF /JS object 22 at offset 0x52E	24991 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 5 long hex-escaped blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.