PDF malware analysis — malicious · 003b21c878467b24

MALICIOUS

PDF

23.2 KB

MD5: b413e0786eb75b48379fa33880ecb24d SHA-1: 0dce47fc787bf43a293c623e8855d1f40677037d SHA-256: 003b21c878467b24a8d3b1147a821e4e739f2d4d987ad445c086575a29a6ed44

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier and ClamAV detection strongly suggest malicious intent, likely as a dropper. While no specific URLs or executable content were directly extracted, the presence of JavaScript points to an attempt to execute malicious code, potentially to download and run a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9981

Heuristics 4

ClamAV: Pdf.Dropper.Agent-5343066-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-5343066-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objstm_0019_00.bin` `729414f6718edf0ec69ca74ac4aadd8cf5d728dc183704dd6bc7f97d97bd8911`	pdf-objstm-decoded	PDF /ObjStm 19 0 obj (inflated)	270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.