Malicious PDF — malware analysis report

Static analysis result for SHA-256 00538ad982fbc1b8…

MALICIOUS

PDF

74.0 KB Created: 2009-09-09 11:18:27 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 74a5a8f294028c98ac4356424cea71a0 SHA-1: fa59ba7ca89bee2329377c2cc5babe86c69cfcc3 SHA-256: 00538ad982fbc1b8e958958f8f60b56973f7a6614299c5a64e04213366cc5b42
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. Embedded JavaScript streams were detected, with one stream containing obfuscated code that, after deobfuscation, appears to be designed to download and execute a secondary payload. The `haveSitesForm` variable, when deobfuscated, reveals a string that likely contains URLs or commands for the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9378

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-7221539-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7221539-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
d92fb7470e750b9a097b824b2fc1b6fbb1841032d813f58225414e1844d67503		 pdf-javascript-stream PDF /JS object 25 at offset 0xE843 23990 bytes
javascript_obj0026_001.js
036197a3773b42aa4cf58bc88bec4c3a3d61652db00d98e3b2e3bce3f39583b9		 pdf-javascript-stream PDF /JS object 26 at offset 0x11F68 217 bytes
javascript_obj0027_002.js
88d776c9c31b58329ae9b3ceab68fa3ff97727f5a26d83601db59ed4ee150509		 pdf-javascript-stream PDF /JS object 27 at offset 0x12068 191 bytes
javascript_obj0028_003.js
533c8f1e0d40313d5ab3ad135144190f644de656939bdc3ccaf1e5a5bf139c42		 pdf-javascript-stream PDF /JS object 28 at offset 0x12146 132 bytes
javascript_obj0029_004.js
4eea82a81c35b7b26af5a2c794277d8055e48e97f1a8481aaca0aab2235dd5ef		 pdf-javascript-stream PDF /JS object 29 at offset 0x121FB 204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.