Malicious PDF — malware analysis report

Static analysis result for SHA-256 8305c9ef9d785a94…

MALICIOUS

PDF

7.1 KB
MD5: def8a593d2dedee30aba174c72fbb330 SHA-1: 56424547e00645a539a05af10919bccea353d28c SHA-256: 8305c9ef9d785a946cfc25caf2d36e1ae66f96b5374ab4070433a31c9c7cf277
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that is obfuscated and likely exploits a known vulnerability. The 'PDF_JS_EXPLOIT_CLUSTER' and 'PDF_UNESCAPE' heuristics indicate the script attempts to leverage an exploit. The ML classifier also flagged it as malicious with high confidence. The primary function appears to be executing arbitrary code, likely to download and run a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9825

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000328.bin
ba6ef2fa3bea15f220536515db786e07fa9baacc901d6801e7af4dd88faedf6e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x328 3135 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
objstm_0024_00.bin
c3f330b5818e575f4f3a1807092deeaee6f881843e914a5f1e18fde2b23b0056		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.