Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccac7e915021548d…

MALICIOUS

PDF

6.5 KB
MD5: db56fe5719a8c2a281a6024829932014 SHA-1: af60c69a6cad45b76352095e5d98b848ac3ea158 SHA-256: ccac7e915021548d7d115a6fb1f694b1472ebc973b3b6b7d0fd3b8c958a177ba
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including 'PDF_JAVASCRIPT' and 'PDF_JS'. The 'PDF_UNESCAPE' firing suggests the JavaScript is obfuscated. The ML classifier strongly flagged this PDF as malicious. The embedded JavaScript streams are the primary indicators of malicious activity, likely serving to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 5

  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000325.bin
50931e96ef9cc1eb650dec9e6ed79fa665a4c075de4166585931430b2c625cbd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x325 727 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_003_off000005c8.bin
0d351c97124078d6afc99fe9c23d8ee4fd67fb73a30cc2c9a19dde7a3eeca849		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5C8 442 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.