Malicious PDF — malware analysis report

Static analysis result for SHA-256 03c73a68e094d003…

MALICIOUS

PDF

27.7 KB
MD5: 1f487d112429c4931f2ea69062f7bdd9 SHA-1: 9675d3e547b27d0301d1ce2abdee371cb9eaa6e9 SHA-256: 03c73a68e094d003ce7839bc4dc865ca11bfcd74c70ef4b30a392e91bd05ee37
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The sample is a PDF file flagged as malicious by multiple engines, including ClamAV which identified it as Win.Trojan.Agent-36100. Embedded JavaScript streams were detected and extracted, indicating the document's primary function is to execute malicious code. The JavaScript appears to be heavily obfuscated but is designed to download and execute a second-stage payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
07029f9fe06866255932819f4f8f47fe0998e8f4147b06d913ebdbd248eb8953		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
7300e1757166c5762ac80e81081e0cc3a45258491b6bebed393737c89901c79f		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
c6b391cf0bcdc6449a73c5ec979538f9df8911af71c0397e5e6d6420ae020e91		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.