MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF is encrypted and flagged by multiple detection engines, including ClamAV as Pdf.Dropper.Agent-7223524-0. Static triage indicates obfuscated JavaScript within an embedded stream, suggesting it's intended to download and execute a secondary payload. The presence of obfuscated JavaScript points to the T1059.007 (JavaScript) technique. Given the nature of dropper malware, it is likely delivered via T1566.001 (Spearphishing Attachment).
Machine Learning
- Nyx PDF Classifier malicious score 0.5781
Heuristics 3
-
ClamAV: Pdf.Dropper.Agent-7223524-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7223524-0
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_009_off0000199a.js0c50aaae6ddc174f0d27451997794c89b5a69858c9c332bdcfbcec3784fa7166 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x199A | 48878 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.