Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb6f12231792be20…

MALICIOUS

PDF

7.4 KB
MD5: bc0eb6590aee5f5dece10b36cfd1bf82 SHA-1: e7f571ff1e5001bd77d9cd82671de97f70b273f7 SHA-256: eb6f12231792be20fda5bca1d18eb365d4066405d69c8b31da25b4da73ad9575
86 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file contains embedded JavaScript, which is used to encrypt the document's content, hiding the malicious payload from static analysis. The ML classifier strongly indicates maliciousness. The presence of JavaScript actions and embedded JS streams points to an obfuscated delivery mechanism, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0013_000.js
c70d0df72ba726d9ea0124f15a8904bfb517f12da38ba61e440fe0d9cf8a7f4f		 pdf-javascript-stream PDF /JS object 13 at offset 0x1852 615 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.