Malicious PDF — malware analysis report

Static analysis result for SHA-256 737e234d41fbbf30…

MALICIOUS

PDF

31.5 KB Created: ¦!Oøô¾ÌI-m_-W|YT/$/1Jaˆ Authoring application: ä}‹Åüü4mie'l (via ä}˜Åüü1mhe+lf)
MD5: 8e961eabbf74eefa4b47846e7bf9b62b SHA-1: 776607f8952f83937fefa5e03318e8a36ed6f2e7 SHA-256: 737e234d41fbbf308fd3262e55fdab0707f18aecbe974a47ca4b29427120844c
94 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
850c2075dd637bad0174b3d2cafcfa402c32e1953ff4aefbbaa6e72b5f0dfb33		 pdf-javascript-stream PDF /JS object 8 at offset 0x4EE 2047 bytes
javascript_obj0009_000.js
6023b9cdd793f75ab5fe6f04926901bde1a5edd01ec6f28e3028e48d165fe2a3		 pdf-javascript-stream PDF /JS object 9 at offset 0x3D3 29592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.