Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8792573b8f933f3…

MALICIOUS

PDF

11.29 MB
MD5: db20d09bb3acdeb43dbfcb28db6f8807 SHA-1: 9986c73b1a70ed5196b02d6d870c1a3330be5c7f SHA-256: e8792573b8f933f3587115b42501fb11b69b325bce31d06f94948f4e59ff08db
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF file was flagged as malicious by a machine learning classifier with high confidence. It contains embedded JavaScript and is encrypted using JavaScript, indicating an attempt to conceal malicious code. The presence of PDF_ENCRYPTED_WITH_JS and PDF_FILTER_HEX heuristics suggests that the JavaScript is used to obfuscate or deliver a payload, likely for downloading and executing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Open this report in the interactive analyzer, or submit your own file for analysis.