Malicious PDF — malware analysis report

Static analysis result for SHA-256 ca58348b7ca19668…

MALICIOUS

PDF

10.7 KB Created: 2008-07-26 19:43:58 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: 36e72182ad113c5c41ba2a4dcc20fc1b SHA-1: 3a7dfaaaf3a91fe1be28b4045e5725aea96651f7 SHA-256: ca58348b7ca19668fc0efa9b93a397c833cb393764eeb03f16116b93aaff8d0c
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains obfuscated JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The ML classifier also flagged it as malicious with high confidence. The JavaScript streams, javascript_obj0013_000.js and javascript_obj0013_001.js, are likely responsible for executing arbitrary code, potentially downloading further payloads. The obfuscation makes it difficult to determine the exact execution flow or final payload without dynamic analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js
e21a5b369fe79ff9eb405cfe9aa125676f7f8271f0484dddb7a65e34207d5be0		 pdf-javascript-stream PDF /JS object 13 at offset 0x336 9426 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0013_001.js
61a0298042ef2a84cb085531d53afc90d2f953d7c3732b7c9ac969bfc6a93de9		 pdf-javascript-stream PDF /JS object 13 at offset 0x358 10132 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.