Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f3ceb78a9c3cf73…

MALICIOUS

PDF

20.6 KB Authoring application: PyPDF2
MD5: fdc3f0eed5682122712f7b35c15066a1 SHA-1: 1e26fea9fcb03e752c06be28492be33b79817849 SHA-256: 8f3ceb78a9c3cf73ad4ac0f71582c55fabbb6dfe13a80540bdcba39ec26f603c
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript stream includes a high-confidence PDF_EVAL firing, suggesting the execution of obfuscated code. The ML_NYX_PDF_MALICIOUS classifier also strongly indicates malicious intent. The extracted artifact 'javascript_obj0004_000.js' likely contains the core malicious logic, which is designed to download and execute further payloads. The obfuscated nature of the script and the use of eval() are common techniques for evading detection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
69d5a20e955f70613970638c22d068d107bbb3626bf5c7884ef272eb5a7182c3		 pdf-javascript-stream PDF /JS object 4 at offset 0x13F 7683 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.