PDF malware analysis — malicious · b6a31169ab0c43f4

MALICIOUS

PDF

45.1 KB Created: 2009-11-18 06:29:17 +03:00 Authoring application: goingIts (via e5b565ee90394bde9f504d9c6ef027d1)

MD5: a9dc09cca41315f8bf6124c3ae55b6c4 SHA-1: 39f1e2c9f2bcf5a33985c87e3e03800a19e415a1 SHA-256: b6a31169ab0c43f4612826f45db28f4d69993cc3c6be366c060b17a62589c53d

94 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, with high-confidence heuristics indicating the use of eval() for code execution. This suggests the script is designed to download and execute a second-stage payload. The ML classifier strongly flags this PDF as malicious. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0013_000.js` `a90c38c0fd8eb794b74661d634e248131280ebfa7d312ad5254a66e63db184ad`	pdf-javascript-stream	PDF /JS object 13 at offset 0x1EC6	4096 bytes
`javascript_obj0014_001.js` `2312aefa7f5e83ae90c9a8df473b2029ef2dd2e81ccebd3c575340f8acddbafa`	pdf-javascript-stream	PDF /JS object 14 at offset 0xAE53	41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.