PDF malware analysis — malicious · 7cb39ded0d6e1d80

MALICIOUS

PDF

12.6 KB

MD5: 9e4dd2118c770fbc94ea681ddd51598b SHA-1: a6653acd8b84feb2a23bc395c27edd56ae6a6d1d SHA-256: 7cb39ded0d6e1d803daafd55ab1c27a2ef2a4f488ecede677e726c01537066f9

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript within its metadata, flagged by multiple high-severity heuristics as an 'eval stager' and a general 'malicious PDF'. ClamAV also detected it as 'Pdf.Exploit.Dropped-94'. The ML classifier strongly indicates maliciousness. The embedded JavaScript is likely responsible for executing an exploit, leading to the download or execution of a secondary payload, though the specific actions are not detailed in the provided evidence.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER

PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js` `b554e4a9c2bc060f5abf67ad5d9e9a2f9a588a7707af5779ba791ade7d4b602e`	pdf-javascript-stream	PDF /JS object 76 at offset 0x301A	331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.