PDF malware analysis — malicious · d39b5cdd0110818d

MALICIOUS

PDF

8.4 KB Created: +A^j3å½yaqM[ueY Authoring application: <3a¨þoamNDog[ (via <3a¨þo;Jë(4 D?Ì/¢ÞÏð½)

MD5: bb18d2f12f9897e7b86d78b392343122 SHA-1: c1ceffc93b2724985e1f7399424942d5355fa663 SHA-256: d39b5cdd0110818d49fe8a7c0404e9242df072540f1706702fea5008529f54b0

86 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF sample was flagged by a machine learning classifier and contains embedded JavaScript. The presence of PDF_ENCRYPTED_WITH_JS indicates that the PDF's content is encrypted and likely uses JavaScript to perform the decryption and execute a payload. This suggests an attempt to bypass static analysis and deliver a malicious payload. The ML classifier's high score further supports the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS

PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.