PDF malware analysis — malicious · da17298335ca258d

MALICIOUS

PDF

2.4 KB

MD5: 06370db28afe2b9f59b416793f1cb973 SHA-1: cd9ed91718afbcf385ae5035a80c9b90321d7862 SHA-256: da17298335ca258d1f94ef573c536aedd08c9e7f5753fc1237a84461fffda26b

110 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF is malformed and contains an embedded script payload, as indicated by the 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristic. The ML classifier also flagged it as malicious. The presence of 'Wscript.Shell' and 'WbemScripting.SWbemLocator' in the document body suggests the script likely attempts to interact with the Windows scripting host and WMI to execute further malicious actions, potentially by creating or manipulating processes.

Machine Learning

Nyx PDF Classifier malicious score 0.9647

Heuristics 2

Malformed PDF header with no object graph high PDF_MALFORMED_NO_OBJECT_GRAPH

File starts with a PDF header but contains no indirect objects, xref table/stream, or startxref pointer. This is not a normal renderable PDF and can indicate parser fuzzing, evasion, or a corrupt exploit test case rather than benign content.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.

Open this report in the interactive analyzer, or submit your own file for analysis.