Malicious PDF — malware analysis report

Static analysis result for SHA-256 90e8f09bdc4a9eda…

MALICIOUS

PDF

36.5 KB Created: ñ[~È/æèbÿ£áÑ1Ÿó Mµ­7a›ÒHYá}äv•G`Lk½UƒC€¾
MD5: bc22dca848510df2f579404eff875b6e SHA-1: 3fe9bae20b2174c337a5e3b3549b2ba3145a88a6 SHA-256: 90e8f09bdc4a9eda833af2ef8e989d64860171e905f6d17109d51b6615d5ab7e
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript action and embedded JS stream indicate that the document is designed to execute code. The presence of an encrypted PDF with an OpenAction further suggests an attempt to hide malicious content from static analysis. The embedded artifact 'smS_sKCXqKni0' is also suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
smS_sKCXqKni0
557611cca13a45aa54db96d1a5e1783f025f83defccc9a3e51756e15fbcf91eb		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x1559 27952 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.