PDF malware analysis — malicious · 9b9a8fab6184b0c4

MALICIOUS

PDF

145.2 KB Created: 2008-05-18 21:50:46 +04:00 Authoring application: PDFCreator Version 0.9.0 (via AFPL Ghostscript 8.53)

MD5: 1557801a38b84458488208a24bdf8ff9 SHA-1: 474159b9bbf79b7e7d594946c66cb8b82a60c555 SHA-256: 9b9a8fab6184b0c4d4d22dff74818fc8878ffe3161187dc9f891a7d081535264

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript and triggers heuristics related to JavaScript actions, embedded JS streams, and ASCII85Decode filters, indicating an attempt to exploit vulnerabilities. The ML classifier also flagged this PDF as malicious. The specific attack pattern involves leveraging these elements to execute arbitrary code, likely for further payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.8013

Heuristics 4

JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_009_off00021bce.bin` `18160695d6a5de65f93e0a8675dcdc679a30a1f44c2f35f4ae4a76c8c8774082`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x21BCE	428 bytes
`font_00_sfnt_off000029b7.bin` `c0f7df7b4c0e3f7641e38f94f6483d97d081649c36d5f87d3c1a5d82a4132acf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x29B7	32792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.