Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6726074f9decc9f…

MALICIOUS

PDF

336.7 KB
MD5: e46bef7a5f9fb53bde5a5548f7265b19 SHA-1: 07a1ba1201541be33fa7bfef9e7f1cd3ba2838ec SHA-256: c6726074f9decc9fcd2a5b3dbe8767eb6143b8fda9a4ef881bbccf49b25db019
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The PDF contains multiple embedded JavaScript streams, with high-confidence heuristics indicating the use of eval() and unescape() for obfuscation. This strongly suggests the script is designed to decode and execute malicious code. The presence of PDF_JAVASCRIPT and PDF_JS firings further supports this, pointing to a common PDF-based malware delivery technique. No specific IOCs like URLs or hashes were extracted, limiting the ability to identify the exact payload or family.

Machine Learning

  • Nyx PDF Classifier clean score 0.2457

Heuristics 7

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_024_off000070d8.js
0b1b1ccc66720369cfc1c63b2731d18a59fadcfae568b3b37a5bbb8ce4821cfd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x70D8 3551 bytes
stream_025_off0000764f.js
92c7113721eda308ba793cbd194c0e585679c0ef14eaeeca6ba058b7831997aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x764F 41573 bytes
stream_026_off0000927d.js
f14def7c3a459fb4591cbe065d41d053c702364ed3b1ea5c7026641b1288e0d8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x927D 22447 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 13 eval/decoder/string-building token(s).
stream_027_off0000a4f6.js
78e513d41bf2a661c7f60584b6d8c8887a33660b20594273baa225fb5ff396fb		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA4F6 25462 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 38 eval/decoder/string-building token(s).
stream_028_off0000bd4c.js
752d2567001891def67f53ca21d10724ba8bcb02d888cbb5b1c4daf4defcac7a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBD4C 23927 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 38 eval/decoder/string-building token(s).
stream_030_off0000d7cc.js
763172bb83da378d3deb9ea0ef54110a601894bb66f84142953df111355e142d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD7CC 2372 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_069_off0002076f.bin
ff6d8bc6de358707b08f37d5433c715bbef1ebfa5fc4356805db9dabf823d5a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2076F 66088 bytes
stream_071_off0003126c.bin
3cd2e46a6d8b775ee4de04ea33e67a0149cd091e7eea9fff3e79afe1a7dcc848		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3126C 46086 bytes
stream_081_off00038057.bin
e078085dd90f92ea7edf1351330e3e50d0eacc950ec46ed1395f43f786ea3792		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38057 50592 bytes
objstm_0003_00.bin
9140aa4efcd371f2d9236c0f04a3c2d082b7a7496b7641d4441bce6d4af0e776		 pdf-objstm-decoded PDF /ObjStm 3 0 obj (inflated) 10455 bytes
objstm_0024_00.bin
3d6212aaa90b2d7fada20e93a7ea054f722c17c2eeb33359166d815b19d81d09		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 30169 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
objstm_0025_00.bin
d82321077e974f67b8dad8194a827e01271b16ffa1725f6d24a484e3b6ce91a7		 pdf-objstm-decoded PDF /ObjStm 25 0 obj (inflated) 34050 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_cff_off0002b919.bin
fe0bcb30e9a9a9037476dd17ce284fa1d88fc717b8bad894c8d8e66e42edd80b		 pdf-font-stream PDF embedded font (cff) at offset 0x2B919 44052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.