PDF malware analysis — malicious · 05b6e12b8d27ce84

MALICIOUS

PDF

33.6 KB Created: 2009-10-13 21:01:21 +04:00 Authoring application: freeReaderUses (via 064ba0b2df0a041eb25bbc91e699926e)

MD5: e76562dae31dfb1278dded007081e05b SHA-1: 2249cf8745555b9cb2e64a7e73d308b1403b8ec0 SHA-256: 05b6e12b8d27ce84f5e7f5884cf4e54cdbeb6557bd2897c50c75e4a93d2b5e67

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The critical ClamAV detection and high ML confidence indicate malicious intent. The embedded JavaScript, identified by multiple heuristics, is likely responsible for downloading and executing a secondary payload, a common technique for PDF-based malware. The specific ClamAV signature 'Pdf.Dropper.Agent-7224347-0' further supports its role as a dropper.

Machine Learning

Nyx PDF Classifier malicious score 0.9991

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7224347-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7224347-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0016_000.js` `4102b22a6857fbe16b656ab91d8aa867401d64ec9437252c46b3b73653b568ac`	pdf-javascript-stream	PDF /JS object 16 at offset 0x2AF0	21386 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.