Malicious PDF — malware analysis report

Static analysis result for SHA-256 0297ad101e2e1ac7…

MALICIOUS

PDF

1.9 KB Authoring application: sli
MD5: 5aa9944b2960b2a0dbea7a993c7b8b84 SHA-1: 2e8070c855ff4d54d08f4b6d41728929bc29e4ca SHA-256: 0297ad101e2e1ac7d82cd761fa8f03f842f53c98cdc5dd67cd5681e4b7d7401f
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, flagged by multiple heuristics and ClamAV as malicious. The JavaScript is obfuscated but appears to be designed to download and execute a secondary payload, as indicated by the ML_NYX_PDF_MALICIOUS and ClamAV detections. The specific exploit and payload are not fully discernible from the provided script, leading to an 'unknown family' classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Exploit.Dropped-91 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-91
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
b3caba947c85222a866eb8fb8541bc1748c24cf30a81b32aee607ef92a760bd2		 pdf-javascript-stream PDF /JS object 76 at offset 0x426 549 bytes
deobfuscated.js
c4ce96481fd07cf724ba34e30999ca93496a4614581dfd51714432322d920a0b		 deobfuscated-js PDF JavaScript deobfuscation pass 1215 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.