PDF malware analysis — malicious · 9ee8e7e7e3bfae1e

MALICIOUS

PDF

6.6 KB

MD5: e44f51a0198e1c94e63d7be4d5dde79b SHA-1: d0d58c3b1a549593e465c30dfadf509d18582018 SHA-256: 9ee8e7e7e3bfae1e8d17f931d44a47ef30684089dec370b5bcc4b8032745716f

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, flagged by multiple high-severity heuristics as a stager for executing arbitrary code. The ML classifier strongly indicates maliciousness. The JavaScript stream, named 'javascript_obj0018_000.js', is the primary artifact responsible for the malicious behavior, likely downloading and executing a second-stage payload. The document body's text appears to be filler or unrelated content, suggesting the malicious functionality is entirely within the embedded script.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER

PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0018_000.js` `64dbb1b26294330f72a9c5b7a7778b4e255c7b7609626eddfee2e06a530f4473`	pdf-javascript-stream	PDF /JS object 18 at offset 0x14F2	1021 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.