Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bd6783e7b396045…

MALICIOUS

PDF

4.3 KB
MD5: 7c3033fee508eb8ac7c6dadb939a9b11 SHA-1: bc8dda25e894211f23b478791de1747b12b56b00 SHA-256: 7bd6783e7b39604550b3d93aac3b83d0fb325c14eee4b694a6d47574f31b0a69
196 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript and a Flash object, both of which are commonly used to exploit vulnerabilities. The JavaScript is heavily obfuscated and uses an eval() call, indicating it's designed to execute malicious code. The presence of an embedded SWF file further suggests an exploit attempt. The primary function of the JavaScript appears to be downloading and executing a secondary payload, as indicated by the obfuscated code and the PDF_JS_EXPLOIT_CLUSTER heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
exploit.swf
09da31fcb002129249bb529a7f84709739a96f62781db5f4c6d9bf6e4308eb15		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x4D1 102 bytes
javascript_obj0017_000.js
e9cfa3fee500cdc168e908cedfaccf4ac14e34eeae13a900d90d00f20d69d237		 pdf-javascript-stream PDF /JS object 17 at offset 0x5EB 2360 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.