Malicious PDF — malware analysis report

Static analysis result for SHA-256 98eee5be6f1217cc…

MALICIOUS

PDF

41.2 KB
MD5: e7016b619c3eca3988dd9377e674938d SHA-1: 7185da9150c0c1e351919781524872747a71ade4 SHA-256: 98eee5be6f1217cc8028521c0141501ffa4033692c7c5240cbe3c75463192f1a
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains an embedded JavaScript payload, indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. The script, extracted as 'stream_000_off0000004e.js', is likely designed to exploit a PDF vulnerability and download a second-stage payload. The 'PDF_UNESCAPE' and 'PDF_FROMCHARCODE' heuristics further suggest obfuscation techniques used within the PDF structure to hide the malicious script.

Machine Learning

  • Nyx PDF Classifier clean score 0.0001

Heuristics 4

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off0000004e.js
36841885d4c0445b22c5450e43555b546557790c38a588971b418c13e1d8f760		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4E 9750 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
icc_00_off00000aa1.icc
eda03c8910c87b8a3e3c1ffbc35d223da8ae1d0dcfbad0c153c4eefbff436723		 pdf-icc-profile PDF ICC profile at offset 0xAA1 1328 bytes
icc_01_off00000e23.icc
94722fe267764797f8887379cc0d355f5118beb3d186e087bfbd9e1a3f2d3f49		 pdf-icc-profile PDF ICC profile at offset 0xE23 1296 bytes
font_00_sfnt_off000043a7.bin
d9b6c301313012d605d12323ec7c49a642b7ba8b78dc73a569d16f1f8d4fcd77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43A7 8976 bytes
font_01_sfnt_off000059df.bin
9c7579bc3310c7fb9d9b51a71fa4f6aae627f6d155bd97108d677e020c8b8b2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59DF 25196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.