Malicious PDF — malware analysis report

Static analysis result for SHA-256 04fc9fc4754f2c3f…

MALICIOUS

PDF

59.3 KB Created: 2006-02-16 15:03:51 -08:00 Authoring application: lice (via ubst)
MD5: 9add7bee8a5de4e44742522da85d2860 SHA-1: 7b0c26a4d157293477dddb13bdee4228665d896e SHA-256: 04fc9fc4754f2c3fbcb1b3751c0b1ba1b84713f736fb53c994a8150fa8bc3630
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was flagged by a machine learning classifier and ClamAV as malicious, specifically detecting it as 'Pdf.Exploit.Dropped-94'. It contains embedded JavaScript, which is a common technique for exploiting PDF vulnerabilities to execute arbitrary code. The JavaScript is heavily obfuscated, but its presence and the high confidence scores indicate it is designed to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
bfc9b251c2f095dd37d0e883774ec0e3c4f8c2c31c7194acc70266d7002a8031		 pdf-javascript-stream PDF /JS object 76 at offset 0x955 50740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.