PDF malware analysis — malicious · 963dc68bd3ac9e6f

MALICIOUS

PDF

145.2 KB Created: 2008-05-18 21:50:46 +04:00 Authoring application: PDFCreator Version 0.9.0 (via AFPL Ghostscript 8.53)

MD5: e68a03a5a877ac28c6cfb75da2594c87 SHA-1: 0c5a91d0033a9cbd5252437b446d35a74a7a004e SHA-256: 963dc68bd3ac9e6fbff6427c89c8556079f08e19567777f8cd7ada565b2a4dbe

64 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and uses ASCII85Decode filters, both flagged as suspicious. A machine learning classifier also identified the PDF as malicious. The presence of JavaScript actions and streams strongly suggests an attempt to execute arbitrary code, likely to download and run a second-stage payload. The ML classifier's high confidence score further supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.8013

Heuristics 4

JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_009_off00021bce.bin` `18160695d6a5de65f93e0a8675dcdc679a30a1f44c2f35f4ae4a76c8c8774082`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x21BCE	428 bytes
`font_00_sfnt_off000029b7.bin` `c0f7df7b4c0e3f7641e38f94f6483d97d081649c36d5f87d3c1a5d82a4132acf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x29B7	32792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.