Malicious PDF — malware analysis report

Static analysis result for SHA-256 7585078de408b0e4…

MALICIOUS

PDF

12.0 KB Created: 2010-11-17 21:28:12 +03:00 Authoring application: XMhd_m (via e26fef)
MD5: 1db10251c88cb73c6062e42234a51523 SHA-1: 7b78e813b7603cef97b290c4e3a33c4d5ef8233b SHA-256: 7585078de408b0e43d2b82366da7de1762c61c541faf4419711cf7f9bec93e2c
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains multiple embedded JavaScript streams, with heuristics indicating the use of eval() and String.fromCharCode for obfuscation. One script, javascript_obj0015_002.js, directly calls app.doc.eval() with the output of other deobfuscated scripts, strongly suggesting it's designed to execute arbitrary code. This points to an exploit targeting PDF vulnerabilities for initial execution, likely to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
3ff057eee32e8ea14a010ae77b0664666a986dd6f1f6be65c50fcc66eed10a48		 pdf-javascript-stream PDF /JS object 11 at offset 0x23C5 2411 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
c08239551b309c65d809854f7ce8fc292651d843c10d9fb7a498155586425651		 pdf-javascript-stream PDF /JS object 13 at offset 0x2806 1092 bytes
javascript_obj0015_002.js
08ebc3d1fff647e843ee6897b90329481e3894fa715ace4d7da6f1b0eda40e28		 pdf-javascript-stream PDF /JS object 15 at offset 0x2A71 300 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.