Malicious PDF — malware analysis report

Static analysis result for SHA-256 a94fa9e079338aac…

MALICIOUS

PDF

3.6 KB Created: 2008-07-26 19:43:58 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 10e90de06523638db7f186806e36a74e SHA-1: 6d66f3a78eb05865e9bda1d8234bd4c3852857d7 SHA-256: a94fa9e079338aac1e8a80a1376911c330ba6ad5709583861e20a39b925c3511
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

This PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript containing eval() and unescape() calls, indicating obfuscated code execution. The presence of a large, encoded JavaScript blob (javascript_obj0014_000.js) strongly suggests that the script is designed to download and execute a secondary payload. The specific obfuscation techniques and lack of further indicators prevent a more precise family attribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
ad13db0e0538ffd04e02c9dd107bd13328bb11906b94bb7dee2569a5fbcb9263		 pdf-javascript-stream PDF /JS object 14 at offset 0x368 19809 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.