Malicious PDF — malware analysis report

Static analysis result for SHA-256 c36d3fb52fa350fb…

MALICIOUS

PDF

178.6 KB Authoring application: PyPDF2
MD5: ba234cac446219f7938a8b5e11241d75 SHA-1: fda461991052e278ad7bef4ba9e7729c3f8898a6 SHA-256: c36d3fb52fa350fb2034584c79161dbe3cfea418fc3b783a5b7ee032b4f0abf4
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file was flagged as malicious by an ML classifier and contains multiple embedded JavaScript streams. One of these streams, 'new_array_token_stage_000.js', appears to be a deobfuscated version of malicious JavaScript. The presence of 'eval()' calls and the ML classifier's output strongly suggest that the embedded JavaScript is designed to download and execute a second-stage payload. The document body contains seemingly random text, indicating it is likely a lure document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9896

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0004_000.js
35969e16a985cc6eefd24beb0648eeb9d2ac94652eee044c8750e85474916893		 pdf-javascript-stream PDF /JS object 4 at offset 0x17F 95090 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0004_001.js
c7bd444b9b78dff76e0f640886f5ef6fdcb1103de8ac269b233e0cb18d8abd65		 pdf-javascript-stream PDF /JS object 4 at offset 0x17F 93722 bytes
javascript_obj0021_003.js
b49875e7a786cc7d62191be88c49afc7a7f53551d4ec30ddf24c3fd7583d7233		 pdf-javascript-stream PDF /JS object 21 at offset 0x20AB4 33 bytes
javascript_obj0024_004.js
3f0411249ce2aa04eafe4c4d4c8a3ff5621d03001267f8312b9f3234a961527a		 pdf-javascript-stream PDF /JS object 24 at offset 0x20D3A 39 bytes
javascript_obj0025_005.js
8e0a70804005ed86eb741335f92111ac7ec5c72b7ef29e96ce3d3a89f68598df		 pdf-javascript-stream PDF /JS object 25 at offset 0x20DC0 42 bytes
javascript_obj0047_007.js
7f178003088ca15e9ff77cee099e1df317b1d69f74c386719c66e405fbcfff19		 pdf-javascript-stream PDF /JS object 47 at offset 0x2239D 32 bytes
new_array_token_stage_000.js
ad67c719c363af889b7663e04ebbc40b2a9995cfbee4cf8e43993eb9c9f4a6c5		 deobfuscated-js new-array token-map decoded JavaScript object 4 at offset 0x187 16939 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 shell/COM execution token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.