PDF malware analysis — malicious · d9b8aa448bfb122f

MALICIOUS

PDF

46.3 KB

MD5: b46772e52ecf0a3a8ce443c392a17824 SHA-1: 3ea58f3c11a9b3d0a8f81b62b4e3f1bcc985623b SHA-256: d9b8aa448bfb122ffac31ac1633809478f87304f89be1e79423073747ab1e1da

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by a machine learning classifier and ClamAV with a critical severity, indicating malicious content. Embedded JavaScript, identified as 'javascript_obj0012_000.js', is present and likely responsible for executing the malicious payload. The presence of JavaScript actions and embedded JS streams points towards an attempt to exploit vulnerabilities or deliver further malware. The ML classifier's high output score further supports the malicious nature of the file.

Machine Learning

Nyx PDF Classifier malicious score 0.9724

Heuristics 4

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `39c0f7badeaec63dd00a9ac761a68415871f19a477ff56911f52892fcad6b8ee`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA1F5	3966 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.