PDF malware analysis — malicious · d442852d8e17043f

MALICIOUS

PDF

50.2 KB

MD5: 39ebeac8ab262d5c936f6167ed0cef93 SHA-1: 026dadaa88f5f7a5b01d9f7fa752ba9384c38e8c SHA-256: d442852d8e17043fca5df90d14cc849421b562262de787d00e028c3ed66157d4

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ML classification and ClamAV detection for obfuscated content. Embedded JavaScript was extracted, indicating an attempt to execute malicious code. The presence of XFA forms and JavaScript actions suggests a complex attack vector, likely for delivering a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9748

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `7f1b857b486cbfae9c13617031d74b6fdf2106a311f76abd72a4fef8bba0762d`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA202	3360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.