PDF malware analysis — malicious · 8670547cad25d84a

MALICIOUS

PDF

6.2 KB Created: gÔ+µÈÑ ÊûìÐ Authoring application: pßAyCößÑ|¹ÈæéÐ (via pßAyCöß°b ··¡ºï³¾}-C¾Ò)

MD5: f29098f0b2a63103532436dd2742673d SHA-1: b81ad53c58c9ff3e6641875769f965219a6c6f4e SHA-256: 8670547cad25d84ad707f920188a24912f5adbf28da2a67261bdbb37613ae8d9

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1566.002 Spearphishing Attachment

This PDF file was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript, which is used to encrypt the document and hide its true content via an /OpenAction. This technique is commonly used to evade static analysis and deliver malicious payloads. The obfuscated nature of the JavaScript prevents a detailed analysis of its specific actions, but the overall pattern suggests an attempt to conceal malicious activity.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.