PDF malware analysis — malicious · 81667505942335b7

MALICIOUS

PDF

3.6 KB

MD5: b06912aa04a8f9bbfea0b33b023cda83 SHA-1: 6a2cb2b5d431c01c645aa70166ab0f528dc06014 SHA-256: 81667505942335b710cad0d917f191b8d4f527c5319dcc07f50d1fb43c1e8d09

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript, indicated by critical heuristic firings for obfuscated name objects and embedded JS streams. The ML classifier also flagged the PDF as highly malicious. The JavaScript is likely designed to download and execute a second-stage payload, a common technique for initial compromise via malicious attachments.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.