PDF malware analysis — malicious · 0831f41c208c503b

MALICIOUS

PDF

22.6 KB

MD5: f2b294d55ae017ed5dc86b6d50c26362 SHA-1: c61a9a7afa0aee0c93148212545b8176918c210b SHA-256: 0831f41c208c503b5be74dbb3d5de6e74f65337ceffd208ebdb9a7940af7ae9a

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT heuristic and confirmed by the ML_NYX_PDF_MALICIOUS and CLAMAV_DETECTION firings. This JavaScript is likely responsible for exploiting a vulnerability to execute code, a common technique for downloading and running further malicious content. No specific family could be identified, and no URLs or other IOCs were extracted beyond benign RDF/XAP/DC namespaces.

Machine Learning

Nyx PDF Classifier malicious score 0.9990

Heuristics 4

ClamAV: Pdf.Exploit.Agent-35606 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35606
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Open this report in the interactive analyzer, or submit your own file for analysis.