Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad4450d84139cb92…

MALICIOUS

PDF

2.5 KB Created: 2009-05-05 21:16:20 Authoring application: aaa (via vvvv)
MD5: 22542d3f8b7dd4c1d9bdf1ee1513fdc6 SHA-1: ba260b49cb261e643e74a2ddc10841d5de03a0d1 SHA-256: ad4450d84139cb929eb53e8c4a20f8f6b532bd50fd10151bbe3222815d5cddae
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, flagged by multiple heuristics as malicious and part of an exploit cluster. The ML classifier strongly indicates maliciousness. While the JavaScript deobfuscation failed, the presence of the exploit cluster and the ML score suggest the intent was to leverage a PDF JavaScript vulnerability for code execution. The specific exploit and payload could not be determined due to scan incompleteness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS
    PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Scan did not complete info SCAN_INCOMPLETE
    PDF JavaScript deobfuscation worker failed (worker exit 1); obfuscated JavaScript was not fully inspected.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0005_000.js
4de48173fb372df70d8521ca62af345d27c335ba0ef0c0a87e6f6e687fbb1f42		 pdf-javascript-stream PDF /JS object 5 at offset 0x194 4702 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
acroform_b64_00.js
2dcc302789541914f37753c067c2c4ea2237a5b048127e1f3f24d5698bb1be31		 deobfuscated-js PDF AcroForm base64 (decompressed) at offset 0x590 2803 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
deobfuscated.js
e884d164f8f6d3f295a72dc15ea103c778aaf281c74b55a5db6ed5db19b02427		 deobfuscated-js PDF JavaScript deobfuscation pass 15431 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.