PDF malware analysis — malicious · c77570c4654f16da

MALICIOUS

PDF

120.0 KB

MD5: b0e450c13231309271f8a82d6819f301 SHA-1: b2c59e777952d86de5025f90747084a15efb190b SHA-256: c77570c4654f16da1e6fc3e3eecf617db423ed423926bf71544b6a1382bf85a1

94 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF was flagged as malicious by an ML classifier and exhibits high-confidence heuristic firings for PDF encryption combined with JavaScript. The presence of JavaScript actions and embedded JS streams indicates an attempt to obfuscate malicious content and potentially execute a secondary payload. The encrypted nature of the PDF further supports this, hiding the true nature of the content from static analysis.

Machine Learning

Nyx PDF Classifier malicious score 0.9937

Heuristics 4

Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic

Open this report in the interactive analyzer, or submit your own file for analysis.