Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7e40cabe4d6dc5b…

MALICIOUS

PDF

216.4 KB Created: ‡h·Â×â@Tr|+µ+%t*ª\:N Authoring application: Ò+ò›œ.B!9qêled]èc˪n (via ‚ß5å—Ń4#gm-{Eälqd,£\)
MD5: d7de0f856334c20e0e5055983a332cf3 SHA-1: 0d5d89843b0acbf776ab3c8a2ac33626374a6a85 SHA-256: c7e40cabe4d6dc5b74ffd055f8e65fa1a577fa9eb29287405a38c4df5b109c15
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1553.004 Subvert Trust Controls: Mark-of-the-Web Bypass

This PDF file exhibits malicious characteristics, including the presence of embedded JavaScript streams and encryption that hides the payload. The ML classifier strongly indicates maliciousness. The JavaScript actions suggest an attempt to obfuscate or deliver malicious content, likely leading to further stages of an attack. The specific JavaScript streams identified are the primary indicators of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9259

Heuristics 4

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj1264_000.js
9f165494e970f4b20a3a7d9dc355a579d78d7ec7b0f3ea06f0ea6ecf4ebaddde		 pdf-javascript-stream PDF /JS object 1264 at offset 0x126C2 39 bytes
javascript_obj1265_001.js
b062cf3565937026f513578cb2661b607ee6721015f1cb8aa700c2b86bb7c0df		 pdf-javascript-stream PDF /JS object 1265 at offset 0x1271A 42 bytes
javascript_obj1353_003.js
cb083b9c2070114fb5020b4e5e5f7c7dc2e361d1c2fa3f69ea693330af59d893		 pdf-javascript-stream PDF /JS object 1353 at offset 0x13F63 137 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.