Malicious PDF — malware analysis report

Static analysis result for SHA-256 e922e1c2c33afe79…

MALICIOUS

PDF

5.4 KB Created: 2008-07-26 19:43:58 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)
MD5: e56a7f6c931b435c2af61a024cba7a33 SHA-1: 8ecfa4d3032f57166c2d0faa93c0b9537ed89d7e SHA-256: e922e1c2c33afe79b45d9255dbc8ec55539c5d4a736b3ce36c1229d6153ef2e0
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 Command and Scripting Interpreter: PowerShell T1027 Obfuscated Files or Information

This PDF sample was flagged as malicious by a machine learning classifier with high confidence. Static analysis revealed the presence of JavaScript, including obfuscated code utilizing eval() and unescape() functions. The ML classifier's high score and the presence of these obfuscation techniques strongly suggest that the script is designed to download and execute a secondary payload. No specific family could be identified due to the heavy obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
2143d05ad8d92fb738bde89f9aabf0b3ce5aec7c87327d4e986df04db6f8cb91		 pdf-javascript-stream PDF /JS object 14 at offset 0x38D 81109 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.