Malicious PDF — malware analysis report

Static analysis result for SHA-256 bbdf9a7c5f48282e…

MALICIOUS

PDF

346.5 KB Created: 96\Fc›Š¾ZãàÍ{KêCϏ>çt
MD5: a1e014a083a8791c902e1b3343a9b595 SHA-1: e263a030f1516f9d8651fdb1ec0b895efcf40dfb SHA-256: bbdf9a7c5f48282ed2501771da4015bfae34fe5d1f19306589caf0842e8e7052
124 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF file was flagged as malicious by an ML classifier and exhibits several high-severity heuristic firings, including PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT. The presence of encrypted content combined with JavaScript actions strongly suggests that the document is designed to conceal and execute malicious code, likely to download and run a secondary payload. The PDF structure and the ML classification indicate a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9937

Heuristics 7

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
p
562e0742464d43e4c4c46bd37ab72609cd16ea020a1ae4e417b52d275daa2913		 pdf-embedded-file PDF EmbeddedFile object 50 at offset 0x3B11 2376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.