Malicious PDF — malware analysis report

Static analysis result for SHA-256 805cf1729e4749c0…

MALICIOUS

PDF

2.9 KB Created: 2009-01-09 23:22:34 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 2a476a031f06a44fc62edc1029cfc5bf SHA-1: 66666297835590e793ef56b83c7a6a489a7b253f SHA-256: 805cf1729e4749c03fe7a2dd3f50b2954dfbaaa23f31bdbb0475b68cec712341
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF contains embedded JavaScript, with high-severity heuristics indicating the use of eval() and unescape() for obfuscation. The ML classifier strongly flagged this PDF as malicious. The presence of two JavaScript streams, one of which is significantly larger, suggests complex malicious scripting. The primary intent appears to be the execution of obfuscated JavaScript, likely to download and execute a second-stage payload, as indicated by the 'ML_NYX_PDF_MALICIOUS' heuristic and the nature of the embedded scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
c8a62f967b403151f005234653e0f73f8a429dc887d2392f40b67c4b99b62c00		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 35 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
af7aae820b4e5683297769a2329e1c0e5cca561c14470c6708239e85579ff9c7		 pdf-javascript-stream PDF /JS object 13 at offset 0x41F 4451 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.