PDF malware analysis — malicious · cbe0c7b20c15ed7d

MALICIOUS

PDF

22.5 KB Authoring application: ¼d'+ö°Ðz¢8É|ä8XZ+=#Që>0ÊÁÂN =È{:

MD5: d0e70a05090db44403e9eca914e3930c SHA-1: 81b13251bb8352488a5fca55128a5e7c5af72e77 SHA-256: cbe0c7b20c15ed7dd7a38fb1d18d120ed584eb07ce266d3404d2a5790776cf0f

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF was flagged as malicious by an ML classifier and contains embedded JavaScript. The presence of PDF_ENCRYPTED_WITH_JS indicates that the JavaScript is used to obscure the payload, making it difficult for static analysis. The embedded JavaScript file, 'javascript_obj0001_000.js', is the primary IOC. The obfuscation technique suggests an attempt to download and execute a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 3

Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `8f363d190709ca46fdcf2a996bb0dc54c45eaaaf087a83b3be963c80d1a9039e`	pdf-javascript-stream	PDF /JS object 1 at offset 0x10	3168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.