PDF malware analysis — malicious · 74254d5365801d36

MALICIOUS

PDF

35.0 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)

MD5: 72ed99a8d6923788406c74decd9af381 SHA-1: f06787892c1445342c443de6f0fa8dc0dfcca839 SHA-256: 74254d5365801d36ffb36d38857340389142de9e64aa2a6ba3b79cc9609a7f97

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF file contains embedded JavaScript that utilizes eval() to deobfuscate and execute code. The script appears to be designed to download and execute a secondary payload, indicated by the PDF_JS_EXPLOIT_CLUSTER heuristic. The specific JavaScript payload is heavily obfuscated, but the presence of eval() and the exploit cluster strongly suggest malicious intent.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.