Malicious PDF — malware analysis report

Static analysis result for SHA-256 d1899843d625d8cc…

MALICIOUS

PDF

13.3 KB
MD5: 1d55bb9852871423b58c2a8412b6f4fc SHA-1: aa713c51adc2ed93426b993010885382efd89974 SHA-256: d1899843d625d8cccf4f20d9d95cc78450cbd06c646d4759852cbf8de0bb2844
84 Risk Score

Malware Insights

The PDF file contains embedded JavaScript and additional-actions dictionaries, indicating an attempt to execute code upon opening. ClamAV also flagged it as Heuristics.PDF.ObfuscatedNameObject, suggesting obfuscation techniques were used to hide malicious content. The exact payload or exploit is not discernible from the provided evidence.

Heuristics 4

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Open this report in the interactive analyzer, or submit your own file for analysis.