PDF malware analysis — malicious · c4f1364672893135

MALICIOUS

PDF

3.6 KB Created: ¯ÇÚj½ñ¡"©ü¤ Authoring application: ¸3ÖJC¤ð¸>®å¯ (via ¸3ÖJC¤Òý0Ñ¢QïÝíê:wõjä)

MD5: 323211550d822d7a6024c233f575df6f SHA-1: 80f6d0c94872a6ca3c7557e668d9d4fc5a5b903c SHA-256: c4f1364672893135eeccdcce52c150f32791a4c7f13b94bdbfee375e576902d9

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1553.004 Subversion: Mark-of-the-Web Bypass

The PDF was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript and is encrypted, with the payload likely hidden within an OpenAction. This suggests the PDF is designed to execute malicious JavaScript upon opening, likely to download and execute a second-stage payload. The obfuscation and encryption techniques are common in malware delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.