Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfcf428c2a4e69de…

MALICIOUS

PDF

129.1 KB
MD5: e1b6e9a9fa37bf074f99a168e70d7250 SHA-1: 5fb649dbe0ef5def73f5c5e28f8df4c481b1c2ed SHA-256: bfcf428c2a4e69de15885ae1356fe63f257e3b9badcf3b6a0ee8d874e002fa93
194 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript streams, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. The JavaScript utilizes eval() and unescape() functions, suggesting obfuscated code execution. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary attack pattern involves leveraging these JavaScript features to likely download and execute a secondary payload, as suggested by the 'Pdf.Dropper.Agent' ClamAV signature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 8

  • ClamAV: Pdf.Dropper.Agent-7217466-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7217466-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0116_000.js
66bc2dd93947682259a9aeaad293aba7f6c1927b9e02a1f8bd06e371ce79d7b1		 pdf-javascript-stream PDF /JS object 116 at offset 0x4BB 41409 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 232 eval/decoder/string-building token(s).
javascript_obj0116_002.js
bb8058fd8050f52615592fe25087d47969ca69c7883762a10368579374edcdd3		 pdf-javascript-stream PDF /JS object 116 at offset 0x53A 41417 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 232 eval/decoder/string-building token(s).
javascript_obj0123_003.js
af23b8c8fcbae38fc948ef0b295adb292197c962b1308748c0f7fe07e88795f4		 pdf-javascript-stream PDF /JS object 123 at offset 0x386 131331 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.