Malicious PDF — malware analysis report

Static analysis result for SHA-256 84c1d16fefacf2c5…

MALICIOUS

PDF

2.4 KB First seen: 2022-06-20
MD5: f3685e292411f6734ee29fbf72d05670 SHA-1: bd00377b0b1ae357d14a253377dd05d7291de502 SHA-256: 84c1d16fefacf2c509ac56d9556c3034367d30720c4e72bab5a8256c187d2ed2
150 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9647

Heuristics 3

  • Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPH
    File starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • PDF JavaScript embeds a Windows Script Host payload high PDF_JS_WSCRIPT_PAYLOAD
    PDF JavaScript contains a Windows Script Host/JScript payload using WScript.CreateObject and WScript.Shell with environment, run/exec, registry, sleep, or downloader-adjacent behavior. This is suspicious payload delivery but is not attributed to a specific Acrobat CVE unless a parser/API trigger is also found.

Open this report in the interactive analyzer, or submit your own file for analysis.