Malicious PDF — malware analysis report

Static analysis result for SHA-256 aec374893d64e94a…

MALICIOUS

PDF

12.7 KB
MD5: b246f2a4d8c45ad84fe9b72a3e6ceb3e SHA-1: 35a1c64552f47c08a74b05f0dba4d3c6a86ad808 SHA-256: aec374893d64e94a1e360a69dccbad7b5a262b71a3eda0f32bddcec349f12e6f
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by a critical ClamAV detection and an ML classifier. Heuristics indicate the presence of JavaScript within the PDF's metadata, specifically a stager designed to decode and execute JavaScript. This JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for initial access.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
  • PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER
    PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
55bfbe4acf13b84751f343f8e1ef10e02dc07e68eaf13f5f9ffca276df00e02e		 pdf-javascript-stream PDF /JS object 76 at offset 0x30BA 331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.