Malicious PDF — malware analysis report

Static analysis result for SHA-256 aaf71c1a2f6a2a3c…

MALICIOUS

PDF

3.5 KB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)
MD5: abd388ddc4293f56f9c4e4a508bfbdda SHA-1: b1e9d61abe3b75095f8cba1e5a97b5713bc2c0a6 SHA-256: aaf71c1a2f6a2a3c3468f319c7d842d7f3cda53a825d87e67c382b0fe3a62a1c
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

This PDF file was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, including calls to eval() and unescape(), indicating obfuscated code execution. The presence of a JavaScript action and an embedded JS stream, along with a suspicious extracted file named 'javascript_obj0006_000.js', strongly suggests the PDF is designed to download and execute a secondary payload. The obfuscation makes it difficult to determine the exact nature of the payload or a specific malware family.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
1a1a6d926a25af50f824a68733ee2550fe0837d876627b00240e9234d2e28583		 pdf-javascript-stream PDF /JS object 6 at offset 0xB0F 191 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.