Malicious PDF — malware analysis report

Static analysis result for SHA-256 f927413bda49291f…

MALICIOUS

PDF

6.3 KB
MD5: e099a59ad77391ab39c92e245b7634a4 SHA-1: ab4ef153f71da2e0c77f7c7e24ad3da3cd8dfd50 SHA-256: f927413bda49291fd7d8441c200218c2356aa4b6f4bced2a159b8b990fb80d59
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The presence of an eval() call suggests the script is designed to execute arbitrary code. While no specific malicious URLs or scripts were directly extracted, the ML classifier strongly suggests malicious intent. The benign URLs present do not detract from the suspicious nature of the embedded script.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9833

Heuristics 5

  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0024_00.bin
3d84bded11584a039b5af990ef50dd13666b69201c3380e4ccfbea8f1239553a		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 503 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.