Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0705575db8e25e4…

MALICIOUS

PDF

4.5 KB Created: 2010-04-30 20:47:26 Authoring application: Fodebarexa
MD5: 11a1a88de6695bb027f238e68ac576c2 SHA-1: 3f21b129061a98640bd963f2c549299865f50493 SHA-256: d0705575db8e25e467b398b497337fb1fed82a400409cd32059b21f4f2e62b70
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged by multiple high-severity heuristics, including a JavaScript action and a page-word XOR JavaScript eval stager. The embedded JavaScript stream, while obfuscated, is indicative of a stager designed to download and execute further malicious content. The ML classifier strongly supports the malicious verdict. The document body contains seemingly random text, suggesting it's not intended for direct user interaction but rather to mask the malicious script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Page-word XOR JavaScript eval stager high PDF_PAGE_WORD_XOR_EVAL_STAGER
    PDF JavaScript enumerates rendered page words with getPageNthWord/getPageNumWords, extracts encoded byte fragments, XOR-decodes the stage with char-code helpers, and evals the result. This is an old exploit-kit staging pattern and is not normal document JavaScript.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
7ad1ee8cba7784f1a95b635244a4165fad123a151fe73c8fc9a0d61755caba74		 pdf-javascript-stream PDF /JS object 10 at offset 0xCAB 874 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.