PDF malware analysis — malicious · 097a6ae05f1ba7d9

MALICIOUS

PDF

45.3 KB Authoring application: substr

MD5: a4555949e20302a79604bbfd6f1e760b SHA-1: f8aacb4a2c0ef56e802a8939e82125043d7c033a SHA-256: 097a6ae05f1ba7d998579d0197af256100a7dd2b82d931c994190cac37df52a8

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF document contains obfuscated JavaScript, identified by multiple heuristics and a high ML score. The script reconstructs a URL from concatenated strings and uses it to download and execute a payload. The ClamAV detection name 'Pdf.Malware.Agent-7659009-0' further supports its malicious nature. The primary attack pattern observed is the use of a malicious PDF attachment to deliver a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Pdf.Malware.Agent-7659009-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Malware.Agent-7659009-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0001_000.js` `1fe7ac4a8cad06f0a00e37639409b9d5e545bb711acbb413d0793462bbb1b419`	pdf-javascript-stream	PDF /JS object 1 at offset 0xB2A2	418 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.