Malicious PDF — malware analysis report

Static analysis result for SHA-256 74e131cc10e68fdb…

MALICIOUS

PDF

9.5 KB Created: 2009-07-14 08:16:46 +01:00
MD5: 0e51ec8b0fe2f80b3bf713b0b3ca5fa3 SHA-1: 47a6c54223363c33645b6e0585a148505679c368 SHA-256: 74e131cc10e68fdb0e3a365608df23c81534b3ea79c8a64d2e4c780cf24d406c
148 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains multiple embedded JavaScript streams, several of which are flagged as part of an exploit cluster. One script, javascript_obj0022_004.js, contains a large, obfuscated string that appears to be a Base64 encoded payload, likely intended for download and execution. The presence of eval() calls and ML classification further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8852

Heuristics 5

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0023_001.js
aa199a5de64e92cfe3347ff374fdbb8f6ef50472ea0be87a350a62da5ad12399		 pdf-javascript-stream PDF /JS object 23 at offset 0x19C9 45 bytes
javascript_obj0022_004.js
bb855501d2307f65d026601bb8ab6e56bc89c65a6758562b5d93592ba0be0d6a		 pdf-javascript-stream PDF /JS object 22 at offset 0x989 8069 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
javascript_obj0024_005.js
9f4116b5e1cc85dcc92bb2026b070f9be2fe02a5eb49c04c4236a3f187ede826		 pdf-javascript-stream PDF /JS object 24 at offset 0x1A2B 2108 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).
javascript_obj0026_006.js
02d1ef82e43ea16664a1d098a8d68a53f99710994f2e69433771fd763578cf24		 pdf-javascript-stream PDF /JS object 26 at offset 0x1C3E 2785 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.