PDF malware analysis — malicious · 8a844864e6265090

MALICIOUS

PDF

788.1 KB

MD5: 3f301758aa3d5d123a9ddbad1890853b SHA-1: adcb57bce7fbb5e076f3272990bedee1d9544ee5 SHA-256: 8a844864e62650905fc438f6291fa64ae2d3822054cc8354c44a923d5364905e

94 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains embedded JavaScript and is encrypted with JavaScript, indicating an attempt to hide malicious content. The ML classifier strongly suggests maliciousness. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT heuristics points to the use of JavaScript to obfuscate and deliver a payload. The document body is unreadable, but the heuristics indicate a likely attack pattern involving JavaScript execution for payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9994

Heuristics 4

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic

Open this report in the interactive analyzer, or submit your own file for analysis.