PDF malware analysis — malicious · ad5ec7d0d59c6554

MALICIOUS

PDF

2.5 KB

MD5: 2d3425ae06eebad805bc1c8c931f9ce1 SHA-1: d8e92b1643f9ee20329eaf1dd7c44a17167ea60f SHA-256: ad5ec7d0d59c6554b750ef02c2b136677c960943baad1b1cff9fb83368357da4

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.007 JavaScript

This PDF sample was flagged as malicious by an ML classifier with high confidence. Static analysis revealed embedded JavaScript, including an obfuscated eval() call, indicating the execution of arbitrary code. The presence of JavaScript actions and streams, combined with the eval() heuristic, strongly suggests the PDF is designed to download and execute a second-stage payload. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0009_000.js` `0b4dfe3824af3ffb8194282f19c443871151c31fe62aef6f05685b7406ba6cb9`	pdf-javascript-stream	PDF /JS object 9 at offset 0xD6	94066 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.