Malicious PDF — malware analysis report

Static analysis result for SHA-256 91fe9e9eb4ad7b73…

MALICIOUS

PDF

1.95 MB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)
MD5: 16059140a1c73b40976843e277df4aa4 SHA-1: 21e935154ec4ccbc85fbb43e36bd492ca70847a7 SHA-256: 91fe9e9eb4ad7b734389cb8fd57b0298d3296ac8260fccc1b6ed27ff8e58141f
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream includes an eval() call, indicating it's designed to execute arbitrary code. This is a common technique for downloading and executing further malicious payloads. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
dedc1a8949db369f6f80e92ba0c5404bfd5f90db7ce52ebd93e3f5828ce8ef7d		 pdf-javascript-stream PDF /JS object 6 at offset 0x136D 144 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.