PDF malware analysis — malicious · e9215276bed065c7

MALICIOUS

PDF

145.0 KB Created: 2008-05-18 21:50:46 +04:00 Authoring application: PDFCreator Version 0.9.0 (via AFPL Ghostscript 8.53)

MD5: daf7ec0133f1e902395390d1ec2eb442 SHA-1: 617c1ce7b4d0e3b8df135d40f6260d78baf5c4a2 SHA-256: e9215276bed065c78ab498b989793329ff7177bcf09191f9f99f21daf53767d1

62 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and utilizes ASCII85Decode filters, which are common indicators of exploit attempts. The ML classifier also flagged this PDF as malicious. While the specific exploit or payload is not immediately clear from the static analysis, the presence of these elements strongly suggests an attempt to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 0.8013

Heuristics 4

JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_009_off00021bce.bin` `18160695d6a5de65f93e0a8675dcdc679a30a1f44c2f35f4ae4a76c8c8774082`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x21BCE	428 bytes
`font_00_sfnt_off000029b7.bin` `c0f7df7b4c0e3f7641e38f94f6483d97d081649c36d5f87d3c1a5d82a4132acf`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x29B7	32792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.