Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4d0b1ee50bc4aaf…

MALICIOUS

PDF

16.0 KB Created: 2007-12-35 21:45:26 Authoring application: Adobe
MD5: d1f3e7afd742805739c9d19b16d2d46d SHA-1: 100dcea44e0cf05c789143c3eb6f2eacd246d22d SHA-256: e4d0b1ee50bc4aafee4f21c9387658803ea2600aac01aacb73de892117cb3890
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, including a call to eval(), which is a strong indicator of malicious intent. The ML classifier also flagged this PDF with high confidence. The presence of JavaScript suggests an attempt to exploit vulnerabilities within the PDF reader or to execute arbitrary code. The specific JavaScript file 'javascript_obj0036_002.js' was identified as a suspicious extracted artifact.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
d0928565411dd5c1491bd9862799f5e76f62bc74e3ea037944ab0917edc5d6f5		 pdf-javascript-stream PDF /JS object 32 at offset 0x3A8 1475541 bytes
javascript_obj0034_001.js
d797de515dac4f8369b71edf86d0fc9aa8fe1224d8f9d3f1eea8a19a1f23bfc7		 pdf-javascript-stream PDF /JS object 34 at offset 0x3D2F 332 bytes
javascript_obj0036_002.js
351349db1f2c462951d107c63f395d2e3d546cbac252089bc55d7cd7501a396b		 pdf-javascript-stream PDF /JS object 36 at offset 0x80 426 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.