Malicious PDF — malware analysis report

Static analysis result for SHA-256 07ed73148ee251c0…

MALICIOUS

PDF

7.3 KB Created: 2010-09-16 18:52:20 Authoring application: Qabifagevafa (via 2ff8dTiqotezozav)
MD5: 99d2fe689978db4478c8cefda5a0ae94 SHA-1: 489587c9ad2f72d7dd55fe54dbf5bf2d8726d088 SHA-256: 07ed73148ee251c075bb42a551d7be9e5ea8f1b2c62661f787987b66d0e4c820
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, identified by multiple heuristics and ClamAV. The JavaScript code appears to be obfuscated but is designed to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness, and the presence of JavaScript points to a common technique for delivering malware via documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
ff85b44f7d06834e69a161aee8e28b7340c56fef50ee1649100cb6f376ea5386		 pdf-javascript-stream PDF /JS object 11 at offset 0x1364 2324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.