PDF malware analysis — malicious · d1d3b4a8853291cb

MALICIOUS

PDF

45.6 KB

MD5: ae8629018d49e76b5e0c946d8372659f SHA-1: 6ca8b5ef9f2a3d8c1e3e0cd02e8ab16c7c9d7bda SHA-256: d1d3b4a8853291cb96eb4a3de8468ccb44c768a5521142ee379f50840d137cc1

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript

The PDF was flagged by multiple heuristics as containing embedded JavaScript and was classified as malicious by an ML model and ClamAV. The embedded JavaScript stream is the primary indicator of malicious activity, likely serving as a downloader for further stages. The document body is unreadable, providing no contextual clues.

Machine Learning

Nyx PDF Classifier malicious score 0.9955

Heuristics 5

ClamAV: Pdf.Dropper.Agent-7307254-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7307254-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `7ab603f85fe70e6b8d73114e605b340cb98ec6ed4aded6cfaa70e18e4bce0a8c`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA20D	3922 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.