Malicious PDF — malware analysis report

Static analysis result for SHA-256 78a24e2d8edef088…

MALICIOUS

PDF

31.7 KB Created: ¾,ãìö-ÅՐ¼"þ¢L;® fF¿i[ Authoring application: éџÇoõˆ¡ïº–ä (via éьÇoõ‚¡ê»–ó!$)
MD5: edfaf3828ce59b47286439fc919b5e5f SHA-1: 6cf8d11da74a6b3aaa8b1ed9247df3a4380900b2 SHA-256: 78a24e2d8edef088fe57857b4268e5e0ec7bee5f994152099bddc615225e03c7
94 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
c9c6f556884f77337d668c92b6a99a3690ecded8accb688cddd17112c2feffdc		 pdf-javascript-stream PDF /JS object 8 at offset 0x4EE 2047 bytes
javascript_obj0009_000.js
c5ef9de5aaf1ed8e47189eb607d0bdfb5961d9ff195133b2105de51c596f67b7		 pdf-javascript-stream PDF /JS object 9 at offset 0x3BC 29820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.