Malicious PDF — malware analysis report

Static analysis result for SHA-256 fde8a00fcfea574b…

MALICIOUS

PDF

434.7 KB
MD5: bee9d66ccf6cc49ea492e7ee67a82101 SHA-1: d24a8e4bf1965b39e0a875525821087f9eb42563 SHA-256: fde8a00fcfea574be53775567ddc8fb7c42d9e8dfe3bbad2304db8b99afeade9
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

This PDF was flagged as malicious by an ML classifier with high confidence. Heuristics indicate the presence of JavaScript, which is used to obscure the document's content and likely execute a secondary payload. The encrypted nature of the PDF, combined with the JavaScript, suggests a deliberate attempt to evade static analysis and deliver malicious code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 5

  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
3efb5d1a5598d3ee7ae500b220714fb83e9eeb69e35549f069e78ee1d8f9410e		 pdf-javascript-stream PDF /JS object 29 at offset 0x3556 4562 bytes
font_00_cff_off0000521b.bin
cf4a9aaa37300558115c3e99be8e93710443c3c5320de5ebb95742f045fc87e3		 pdf-font-stream PDF embedded font (cff) at offset 0x521B 1138 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.