Malicious PDF — malware analysis report

Static analysis result for SHA-256 9342a1c7c9b630a7…

MALICIOUS

PDF

235.9 KB
MD5: fd31781d955847c23d921a612bff0b56 SHA-1: 9de9891a348f644f131cd9c7d7d556ce13c655d6 SHA-256: 9342a1c7c9b630a7ac42cc56194acf5184e73394d75e8c63a91e0a62eb68d4d6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF sample was flagged as malicious by an ML classifier and exhibits several high-severity heuristics indicating the presence of hidden JavaScript. The encryption combined with JavaScript suggests an attempt to conceal a malicious payload, likely for phishing or malware distribution. No specific IOCs were extracted due to the obfuscation and encryption.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8132

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
7882fded4ffce89c01f54eb0d35dee569fa864a77e7ea7ebc8a3dff1bbbbc686		 pdf-javascript-stream PDF /JS object 39 at offset 0x22B3 10106 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.