Malicious PDF — malware analysis report

Static analysis result for SHA-256 9495f3f5907ab4eb…

MALICIOUS

PDF

6.6 KB Created: 2010-12-26 19:13:09 Authoring application: inn ink
MD5: 32fd8bada934bd3034d43e84458d6b44 SHA-1: fbbfe8e6c09fd9dabaa6d178fb032a3b311240e5 SHA-256: 9495f3f5907ab4eb9b6469f5822f9790fbf7ed736b451b8f5331d45ea5fbf83c
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains embedded JavaScript, flagged by multiple heuristics, including a high-severity ML classifier. The JavaScript utilizes an unescape() function, a common technique for obfuscating malicious code. The ML classifier's high confidence score and the presence of JavaScript streams strongly suggest an exploit attempt. The script's obfuscated nature and the use of unescape() indicate it's designed to download and execute a secondary payload, though the exact mechanism is obscured. The document body text is largely unreadable due to encoding issues, providing no further context on the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0003_000.js
5fd374a270aff874a450bf059e746361d77aa80299872f6a5b1328e0847494c3		 pdf-javascript-stream PDF /JS object 3 at offset 0x913 3985 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0003_001.js
475616a3744c5a909ea0f265c30781bb54b12a3a8005b1f1eb9363eaffbb6121		 pdf-javascript-stream PDF /JS object 3 at offset 0x935 4363 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.