PDF malware analysis — malicious · f9bb38c9de3ec5bb

MALICIOUS

PDF

4.7 KB Created: 2010-06-16 08:34:22 Authoring application: Amyuni PDF Creator (via Amyuni PDF Converter version 2.50f)

MD5: 60d2254b3fea2eeb73681d7a5663c921 SHA-1: 560d6ad78e3e70ceff275a3dbba29c7477717788 SHA-256: f9bb38c9de3ec5bb4be8ed9a5c6b8f8e338bd132ed8b66c1913c98a120d683d7

198 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF contains JavaScript that triggers an exploit, as indicated by the PDF_JS_EXPLOIT_CLUSTER and PDF_CORRELATED_MALICIOUS_JS heuristics. The ML classifier also strongly flagged this PDF as malicious. The JavaScript likely attempts to download and execute a second-stage payload, although the specific actions are obfuscated. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 4

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
Correlated malicious PDF JavaScript signals critical PDF_CORRELATED_MALICIOUS_JS

PDF JavaScript or auto-action content is corroborated by exploit staging, ML, or suspicious extracted-artifact findings. This correlation promotes old exploit-kit PDFs that otherwise remain in the suspicious band because each individual signal is intentionally weighted conservatively.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.