Malicious PDF — malware analysis report

Static analysis result for SHA-256 e33b43cd6fc70239…

MALICIOUS

PDF

54.4 KB Authoring application: PyPDF2
MD5: 6c275b4f21d6ac169f9e413cd2dea70b SHA-1: 4ff1b4dbdbd22ccba5cfebc0fc01241b4dfd6287 SHA-256: e33b43cd6fc70239e9521bb6e43952914397a8f251b990b6521189b1b6561d97
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains obfuscated JavaScript, identified by the PDF_JAVASCRIPT and PDF_JS heuristics. The script utilizes eval() and attempts to download a payload from a constructed URL, which is reconstructed as 'Z?P Q?u 8?F MtZhCeRrHedisszsaoymgeJgRoRoTdJqYqF.KcyoYmC/32q1cTdVQjbs5?H oy0oOmqaVnbaSrbmyyKcjcp.taJsyiFal/O2x1LTDVBjEsp?b Q?'. This indicates a downloader or initial access stage. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9869

Heuristics 9

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI low PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.copyright.gov/title37/253/index.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
d0af7b1337741564e0a54ee663917e8129230da09a57bb2cb8e5cf5084588709		 pdf-javascript-stream PDF /JS object 7 at offset 0x874 5507 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s).
javascript_obj0007_001.js
1a49226ab6d78772c36e664345fbe760eb685906bab70e0500ef935ead4aee9d		 pdf-javascript-stream PDF /JS object 7 at offset 0x874 204 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_pdf_script_00001e25.bin
135fb23a0f7f41ab2cf85869eb0a1bc2bc5236f1f199d10b5c508876f842aa73		 pdf-embedded-script PDF decompressed stream script payload at offset 0x1E25 55718 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
generic_stage_recovery_000.js
9b563d35255c63487cd7fef5272a5722ea85d2e3264652974f9313e73314499b		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x0 at offset 0x0 55620 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s). Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.