Malicious PDF — malware analysis report

Static analysis result for SHA-256 b55e62efe6da83e5…

MALICIOUS

PDF

1.95 MB Created: 2011-72-51 03:25:00
MD5: d10c0cae1cb7d7a341fccc16b43c6ab8 SHA-1: 97633f356b31d80c5c870dd17e01ad72164aee7f SHA-256: b55e62efe6da83e56aff818800fe54799ac1a9d7102358c0dd2a3548b2962c73
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF contains multiple embedded JavaScript streams, with high-confidence heuristics indicating the use of eval() for code execution. This suggests the primary purpose is to download and execute a second-stage payload. The ML classifier strongly flags this PDF as malicious, and the presence of multiple embedded PDFs further supports a complex malicious structure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
2d1046ec8ba1bc7e1d9523df0f4c9b05ebf69d0f0975acd62bcf16311eb0b4c6		 pdf-javascript-stream PDF /JS object 1 at offset 0x6236 536 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0001_000_1.js
79ce5035f8b68bdfcc34cebf9e4d52dc0ecff6d3dbeec98fe2932d272300e28f		 pdf-javascript-stream PDF /JS object 1 at offset 0x61BC 540 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off0000652c.pdf
fe7ef09f586623dd5c95de98b7ee911f9c4953592e7a380583ceba87c907376f		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x652C 2022100 bytes
javascript_obj0001_000_2.js
cc30dde1a27db16ed84695ba9f9f2a9eb1aca6baceb9581a3e4c19e7479d29eb		 pdf-javascript-stream PDF /JS object 1 at offset 0x6186 539 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off0000c9e2.pdf
99a59562ecba21723e3b1d7676d8f696a409d23bbcaff88786bb80f37e9eb1e9		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC9E2 1996318 bytes
javascript_obj0001_000_3.js
380e8c83d32219df8fa44525af78582c532581683312c345075c968099095af7		 pdf-javascript-stream PDF /JS object 1 at offset 0x61DB 526 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
polyglot_child_pdf_off00012e61.pdf
f5edcd35770b15af617f88cd8abf4a94b16497d0334f7af0f4dcbe8db336b19a		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x12E61 1970591 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.