PDF malware analysis — malicious · ce896f6f2630f0c4

MALICIOUS

PDF

29.7 KB

MD5: 8aa97b8b809aea28bcfdfb9d5c527a0a SHA-1: af9648c04a95e39ca903b05a1f48cba60caf5ea5 SHA-256: ce896f6f2630f0c43b96dc1e6d96af3447e68972dfc8e40f34db2c74746ad7e3

134 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: Malicious JavaScript

The PDF contains embedded JavaScript, which is flagged as malicious by multiple heuristics and a machine learning classifier. The use of ASCIIHexDecode and ASCII85Decode filters, often employed to obfuscate malicious content, further supports this assessment. The primary attack vector appears to be the execution of malicious JavaScript within the PDF.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS

PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Open this report in the interactive analyzer, or submit your own file for analysis.