Malicious PDF — malware analysis report

Static analysis result for SHA-256 da17d03beb9d718b…

MALICIOUS

PDF

8.1 KB
MD5: f11db17b266d4b60616509cfc6c3bded SHA-1: 5f8fd7973380327dde13c54da0b455fbdb11c4c9 SHA-256: da17d03beb9d718b2173b3274ebf93ac55a765892bdc4b3f1d33153baaf35e14
96 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged as malicious by an ML classifier and contains embedded JavaScript. The JavaScript stream exhibits obfuscation techniques such as eval() calls and String.fromCharCode, indicating an attempt to hide malicious code. This script is likely responsible for downloading and executing a secondary payload, which is a common technique for initial access or further system compromise. No specific family could be identified due to the obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9224

Heuristics 6

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000329.js
2cad0b356b72c907a4e0577853c1bbb2c35766b8a357eba683392664a9bee790		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x329 3334 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0024_00.bin
88a6111143114d281414ecfe1288f214d2d83b25a52e5e2d7b39fc36350045a1		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.