PDF malware analysis — malicious · 9c1c43c47e31a90a

MALICIOUS

PDF

10.5 KB

MD5: 13ed7c1d36eb0452bdeda2e679dcefd7 SHA-1: 5c2b4202ba2111d74030f9f9d9ff2d3de68d26f0 SHA-256: 9c1c43c47e31a90a517a7ece508a62fe150708b5a3e2175769e8c44778b4db09

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by an ML classifier and exhibits several high-severity heuristic firings. Specifically, it contains embedded JavaScript and is encrypted with an OpenAction, indicating an attempt to hide a malicious payload from static analysis. The presence of ASCIIHexDecode filters further suggests obfuscation techniques common in malicious documents. The JavaScript action is the primary mechanism for delivering the malicious payload, likely involving downloading and executing a second-stage component.

Machine Learning

Nyx PDF Classifier malicious score 0.9970

Heuristics 4

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.