Malicious PDF — malware analysis report

Static analysis result for SHA-256 d58ee3de95e64f4a…

MALICIOUS

PDF

8.1 KB
MD5: fda158b058161e20751a80efbf8d9b1a SHA-1: 3d6d27f399f9742ac7a6272868b39d85cdfdada1 SHA-256: d58ee3de95e64f4a46b3070c16b96d76a173bbbe7e8eef8f27ea191eaf57e000
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by a machine learning classifier and contained heuristics indicating the presence of JavaScript with eval() calls and String.fromCharCode usage. These are strong indicators of obfuscated code intended to perform malicious actions, such as downloading and executing a second-stage payload. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6569

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off000004a6.bin
4447bc3bf2370788a868beaf4e818cbde6061d04686c8a8695d700584551fe2b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x4A6 4794 bytes
objstm_0013_00.bin
3ec841b01a1bb1aa700b49a4f383b3c25444c501028558ea845e84b840f95f4d		 pdf-objstm-decoded PDF /ObjStm 13 0 obj (inflated) 171 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.