Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5dce195f65c3beb…

MALICIOUS

PDF

249.4 KB Created: õ¼nüµŽ§NKXñ£ðc™NÍ" Authoring application: áÕ?S_»ñŒ¹GK–ö»;Á]Ý+Í (via ðå.NTªñ™ÓJ ¬ÿ¬:ˆHÍ4ßy˜oîAÍ)
MD5: edb0334cc5867ff93f49e11188318261 SHA-1: 22d9ce8a2d40fd5d7388c7936d0dd70e3f714eac SHA-256: f5dce195f65c3beb44d59673927e8a4404d0a8e7a07f32fe5291ee6e3c0848e6
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

This PDF file was flagged as malicious by an ML classifier and exhibits several suspicious characteristics. It contains embedded JavaScript and is encrypted, with the JavaScript specifically noted as hiding the payload. This suggests the document is designed to execute malicious code upon opening, likely to download and run a secondary payload. The presence of PDF-specific heuristics like PDF_ENCRYPTED_WITH_JS and PDF_JAVASCRIPT strongly indicates an attempt to conceal malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9662

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)

Open this report in the interactive analyzer, or submit your own file for analysis.