Malicious PDF — malware analysis report

Static analysis result for SHA-256 02eb658a7805fd95…

MALICIOUS

PDF

27.7 KB
MD5: 6d2684822445041eac3acb4dc245bd94 SHA-1: 9d00775859e120815c6709b25362ee3edd72cc89 SHA-256: 02eb658a7805fd9513824741e68db842466b9acdd95998198a6d309a21e9b5b8
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings and the presence of JS streams. The JavaScript code appears to be obfuscated but is designed to execute actions, likely involving the download of a secondary payload, as suggested by the ClamAV detection of 'Win.Trojan.Agent-36100'. The ML classifier also strongly flagged this PDF as malicious. The primary attack pattern is likely spearphishing attachment, with the embedded script serving as the execution mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
29c85454044a72532a586b9100080510c83878170d93b78c8c3d098b4991d4da		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
4286e6770580e042f7b72cd86ba79b29b27f0a06a1686bd39ee96217a02dbf18		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
38463cd8bdba329d7175085af972ecc124b6e1c82d3e950bdbb4dd01be0ebee8		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.