PDF malware analysis — malicious · 7aed36f4b985c711

MALICIOUS

PDF

7.3 KB Authoring application: Bofatezozinefaxfa (via 8c188Vogewojixariuawi)

MD5: 3be5b005c1923d062bfb8cbaabdcc07f SHA-1: d9d18ecc13e2ada644c7e0f664e3428ecee90076 SHA-256: 7aed36f4b985c7113ddc9e48f1012866a3541a26aa7b616c4227dd69373f7cf6

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains obfuscated JavaScript, flagged by multiple heuristics including ClamAV and an ML classifier. The JavaScript is designed to execute arbitrary code, likely downloading and running a secondary payload. The obfuscation and presence of JavaScript point to a common malware delivery technique.

Machine Learning

Nyx PDF Classifier malicious score 0.9954

Heuristics 4

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0011_000.js` `ca838ab153ea9de4fff1e74bdd0848fd720f71bc6fbee4425be234136cd19b41`	pdf-javascript-stream	PDF /JS object 11 at offset 0x1349	2325 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.