PDF malware analysis — malicious · 01df11fb758067f5

MALICIOUS

PDF

14.4 KB Created: 2009-11-15 19:41:70 Authoring application: PDF Library 4.3.9 (via PDF Library 3.9.7)

MD5: dc6de2bbd0c3342e07bd5b758e45648d SHA-1: 1cfc5fd4a22791b0818ee318ccf6bb3d7b117690 SHA-256: 01df11fb758067f553576b77b6fc58fb5a18e29721f4f9981c364b6fb6849ae2

166 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file was flagged as malicious by multiple engines, including ClamAV and an ML classifier. Embedded JavaScript, identified as obfuscated, is present and likely responsible for downloading and executing a secondary payload. The presence of JavaScript actions and streams within the PDF structure strongly suggests this attack vector.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Win.Trojan.Agent-36166 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36166
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `640e4d87d42be5223399f965cfa699c7def014549f5d144b73c2463ec00102e0`	pdf-javascript-stream	PDF /JS object 7 at offset 0x1A5	74751 bytes
Detection ClamAV: Win.Trojan.Agent-36166 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.