Malicious PDF — malware analysis report

Static analysis result for SHA-256 d64d5da5c2cd17e1…

MALICIOUS

PDF

13.0 KB
MD5: 2ac962c729fe0166686fa3e2b615d375 SHA-1: b22bc77e42325d66e04560f4f5a34a1186d94721 SHA-256: d64d5da5c2cd17e19541e41ee90a4239cc3c8ab086054e6c993c68017e51bc2d
194 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file exhibits high-confidence malicious indicators, including ML classification and ClamAV detection for obfuscated content. Embedded JavaScript streams, identified by `PDF_JAVASCRIPT` and `PDF_JS` heuristics, are present. The `PDF_EVAL` and `PDF_UNESCAPE` firings suggest the JavaScript is heavily obfuscated and likely performs dynamic code execution. While the exact payload is not discernible due to obfuscation, the presence of these techniques strongly indicates the script's purpose is to download and execute a secondary malicious payload. No specific family could be identified.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 8

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0116_000.js
9ff6769d6b840b0e796eac04ad8ef1d2a83b207058f4a10e84020285939552ff		 pdf-javascript-stream PDF /JS object 116 at offset 0x4BB 44301 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 226 eval/decoder/string-building token(s).
javascript_obj0123_002.js
2fdb39410f8de2635ec3e03239d2e0a7af87ccf88217f4b557219bf7d218c41b		 pdf-javascript-stream PDF /JS object 123 at offset 0x386 12457 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.