Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d4f0be7201493a3…

MALICIOUS

PDF

128.8 KB Authoring application: PyPDF2
MD5: 1a956735570c9f9880951a29514610cc SHA-1: 0b7fc1d3682568e0c5822e547204f778b3df5f4c SHA-256: 7d4f0be7201493a309653424f25fbe97f2dda730d523068fa90bb3ef3fcd75e4
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF sample contains multiple embedded JavaScript streams, with high-confidence heuristics indicating the use of eval() for code execution. The ML classifier also strongly flagged this as malicious. The presence of obfuscated JavaScript suggests an attempt to hide the execution of a downloader or other malicious script. The specific intent of the JavaScript is unclear due to obfuscation, but the use of eval() points to dynamic code execution, likely for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
81af66bf6a5b4dc87ba51a0cac9a9e54b91924140aebf45c9cb40241a4006555		 pdf-javascript-stream PDF /JS object 4 at offset 0x238 97926 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0004_001.js
33c87e91d26fae0a8802b3ead187c5756b7e0a178c7a4f7cede083916717a032		 pdf-javascript-stream PDF /JS object 4 at offset 0x238 96567 bytes
javascript_obj0096_002.js
6ec6509be655ad55d7f043dd30a57424b3e40e0dcc056cf0d9c53cf4255c07fb		 pdf-javascript-stream PDF /JS object 96 at offset 0x1F4F4 808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.