Malicious PDF — malware analysis report

Static analysis result for SHA-256 081f840e51069f19…

MALICIOUS

PDF

29.9 KB Created: 2010-02-13 15:02:52 +03:00 Authoring application: [@_\!\?\$] (via e87152a7cbeb2c3262d51598e1de52d5)
MD5: f647f67e63265edf1d14a64453aca446 SHA-1: 23f78589add95091bdddf73e024d2ceacf52c33d SHA-256: 081f840e51069f19ed9891ca57eaac23dfb16b1ca697318d3e7bfec4b009ab61
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF sample contains multiple indicators of malicious JavaScript, including embedded JS streams and the use of ASCIIHexDecode and ASCII85Decode filters, which are often used to obfuscate malicious code. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded JavaScript, though heavily obfuscated, is designed to execute and likely download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9982

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-1828623 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1828623
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js
4b94e715c53f76f5981b4c7de8d679bd8d79117efa8b1248c252a887e7e1f93f		 pdf-javascript-stream PDF /JS object 18 at offset 0x251D 35925 bytes
javascript_obj0020_001.js
609027210ba16c2028a772506652ee71998391fa52bd34b1ed39c8da78eab0fb		 pdf-javascript-stream PDF /JS object 20 at offset 0x7135 112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.