Malicious PDF — malware analysis report

Static analysis result for SHA-256 d8a58b60404166d8…

MALICIOUS

PDF

134.9 KB Authoring application: Ä°RšmZˆƒ ¤^N¯Jà犪rÚ>ŦÝb2Íæ
MD5: 41ff9f7be922ccbf034266878954196f SHA-1: 35fd49b49ee081272a3ea4fb54da544e050e712f SHA-256: d8a58b60404166d84929db757b769f05e8b37af61a7560fcf011759fafb993f8
194 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF was flagged as malicious by ClamAV and a machine learning classifier. It contains embedded JavaScript and a launch action, indicating it is designed to execute a payload. The presence of PDF_ENCRYPTED_WITH_JS and PDF_LAUNCH heuristics suggests the document is obfuscated to hide its malicious intent, likely to download and execute a second-stage payload. The specific ClamAV detection name 'Win.Trojan.Dropper-135' strongly suggests its function.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • ClamAV: Win.Trojan.Dropper-135 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Dropper-135
  • Launch action high PDF_LAUNCH
    PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
  • Encrypted PDF carries /OpenAction — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/OpenAction). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js
666ed77ba6befad7acaaa158d3416f86f3d8740273d7bdcc5407f6fdfe89294e		 pdf-javascript-stream PDF /JS object 13 at offset 0x2154C 82 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.