Malicious PDF — malware analysis report

Static analysis result for SHA-256 9765a8ec780a8b63…

MALICIOUS

PDF

640.4 KB
MD5: 1dab8dd7623606eacb944fedb29f2d0a SHA-1: 5c9b3da01bc02658e155d9d01a2fc6973e31b029 SHA-256: 9765a8ec780a8b63265e6574aece593b79489386eaf1e26d8b26f6ac6634af7d
76 Risk Score

Malware Insights

MITRE ATT&CK
T1559.002 Component Object Model Hijacking T1059.001 PowerShell

This PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The document body suggests it is attempting to launch an embedded OLE object named 'rfq.doc'. The presence of embedded JavaScript and the ML classification strongly indicate malicious intent, likely to execute further stages of an attack. The embedded 'rfq.doc' is a primary indicator of the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
rfq.doc
c18a3d5cb1232104953cf308df13f4bd987a489e4ffa0ed87e16a456e6fc0bd7		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x563 326989 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 80 long base64-like blob(s).
javascript_obj0009_000.js
2b8480aa51fc9853d3b21a786369059ef1442be8ffeb50eae877beb7200f14bf		 pdf-javascript-stream PDF /JS object 9 at offset 0xA0015 56 bytes
javascript_obj0009_001.js
f286270a8c9aa1f70f5c91360077ceaf6cfae7907770446864f31ec3d7971f45		 pdf-javascript-stream PDF /JS object 9 at offset 0xA0015 54 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.