PDF malware analysis — malicious · d0f7c8b454b0c0c8

MALICIOUS

PDF

3.6 KB Created: ®î[+²O0éäÛp4 Authoring application: ÷®H fS«N1õãÂr? (via ÷®H fS«/xDû!M'oqU×Jè)

MD5: 7bf53b85d085922c60300c28e045cf80 SHA-1: 60f1d52b865a3c6685b1e5848339f48a64822720 SHA-256: d0f7c8b454b0c0c8ac43e39b28b432c39cab0dd6199d6372e797aa079558422a

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.002 Spearphishing Attachment

This PDF sample was flagged as malicious by an ML classifier with high confidence. It contains embedded JavaScript and is encrypted, with an /OpenAction referencing the JavaScript, indicating an attempt to obscure or dynamically execute a payload. The presence of JavaScript actions and encrypted content suggests a technique to bypass static analysis and deliver a malicious payload. The ML classifier's high score further supports the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.