Malicious PDF — malware analysis report

Static analysis result for SHA-256 815397fcf7d68eb7…

MALICIOUS

PDF

26.7 KB Created: N…¡Z€ð—é? >È ¹óB ’ðå Authoring application: ô@“ikÂÀÊØl;~ûS;û (via ô@“zkÂÀÀØi;û_;ìØ)
MD5: b2964fc61138cd50b2090acff0bba928 SHA-1: e79a6996d89676ad6e0f5e5766658aae6475d86c SHA-256: 815397fcf7d68eb72efe8681981fff732a0b444d2635679cb81acb0f8c18f60e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by an ML classifier and exhibits high-confidence heuristics for embedded JavaScript and PDF encryption used to hide malicious content. The embedded JavaScript, specifically in `javascript_obj0008_000.js`, appears to be deobfuscating content and likely prepares for or initiates the download of a second-stage payload. The presence of JavaScript actions and embedded JS streams strongly suggests an attempt to execute malicious code upon opening the document, typical of a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
977388655ec91743c58576468c557ebb01e95b5eff9913307779a7bbbd3f29f4		 pdf-javascript-stream PDF /JS object 8 at offset 0x4E6 2047 bytes
javascript_obj0009_000.js
683970285391eb117631d1b59ee96c50419115dad254ad2b51f0c6fac9d39acc		 pdf-javascript-stream PDF /JS object 9 at offset 0x3CF 24852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.