Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2c60f3c539039a7…

MALICIOUS

PDF

352.3 KB Created: uZ[:ÅçÉ2xýŸë”wÈ×x$»¿¤rú·•èµ¿cHmþ Véžßô;,WÚÉ~Æ%À÷rÁ•¥/Jõ†ü<T>ý©CV¶âÿœá Authoring application: uZ[:ÅçÉ2xýŸë”wK+]Œ<?—~J×Úô¿ •Նð`Z¶ %
MD5: ba7e83c3181cacdd586fd5355b49f4e9 SHA-1: a2829e9cfdf44ce331b2298f38e6d31ecd419043 SHA-256: b2c60f3c539039a7c35fcb19c376a24cda21b62939961115a6fe77d5ca81ec32
66 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment

The PDF file is encrypted and contains JavaScript, which is a common technique to obfuscate malicious content. The presence of PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT heuristics indicates that the JavaScript is likely used to bypass static analysis and deliver a malicious payload. The PDF_IMAGE_ONLY_LURE heuristic suggests the document may be designed to appear as a benign image-based document to deceive the user.

Machine Learning

  • Nyx PDF Classifier clean score 0.0127

Heuristics 5

  • Encrypted PDF carries /JS — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JS). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0261_000.js
da8ef7339db8525f354cb03c11de39cf6cd5f178525e9cb38ea80f76d26c70bb		 pdf-javascript-stream PDF /JS object 261 at offset 0x556D7 176 bytes
javascript_obj0257_001.js
f5d12c89590445c26b62b46b2fdd8eb6a7947138b1b4877c1724311dca92bd14		 pdf-javascript-stream PDF /JS object 257 at offset 0x5589E 64 bytes
javascript_obj0255_002.js
33ed036dba99a2aa0552172d30ced90246c52b3637376ec4ce549d86d1993a83		 pdf-javascript-stream PDF /JS object 255 at offset 0x559F5 64 bytes
javascript_obj0253_003.js
8c5bc2e50f285f593fddbced757b535f0fd9b2100908ccec9ca37ffd9986f461		 pdf-javascript-stream PDF /JS object 253 at offset 0x55B49 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.