Malicious PDF — malware analysis report

Static analysis result for SHA-256 c00c037ff34a0e33…

MALICIOUS

PDF

35.5 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: 2da1ddee03b97ed92918ed35385958f0 SHA-1: 402dd4965e62b0e41892891e7b1795c365b5cd40 SHA-256: c00c037ff34a0e3395e724bc191b00b9fdf649ae48b10865901c29caa00990fa
128 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell T1059.003 Command and Scripting Interpreter: Windows Command Shell T1059.007 Command and Scripting Interpreter: JavaScript/TypeScript

The PDF contains embedded JavaScript, which is heavily obfuscated and utilizes eval() and unescape() functions. This strongly suggests the script is designed to deobfuscate and execute malicious code, likely downloading and running a second-stage payload. The ML classifier also flagged this PDF as malicious with high confidence. Due to the obfuscation, the exact nature of the payload cannot be determined from static analysis alone.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
a3b5bdccb204156a42b9991e2885b8b8c872fc3d695b5b5ec4720086e42c6f70		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0007_001.js
b5386b87c241a52c697b4fff1e0bf0f12df057246a1ce5a58ba55500ee346b08		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35039 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.