Malicious PDF — malware analysis report

Static analysis result for SHA-256 0aa554e58704d5b9…

MALICIOUS

PDF

31.5 KB Created: 2010-02-15 14:54:14 +03:00 Authoring application: [\!_@\$~] (via d54a439ba19be7fe2b18622f6e53587e)
MD5: 40d1935b8e61ff7c35e2079895ebce2a SHA-1: 3ca13afd963c9f0dc48aab2bfb88b2e9a8a04499 SHA-256: 0aa554e58704d5b912f4cc84e709b8b5021abb7d2fa9b783ce97c967cf966ddc
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, which is heavily obfuscated but likely intended to download and execute a secondary payload, as indicated by the ML classifier and ClamAV detection. The presence of JavaScript actions and filters like ASCIIHexDecode and ASCII85Decode further supports its malicious nature. The ClamAV signature 'Pdf.Dropper.Agent-7227020-0' suggests a dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9962

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7227020-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7227020-0
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0022_000.js
a212127b76d9e4853ee9f5448659daec67d9b99e69bde81fdc18cb4cded0f76b		 pdf-javascript-stream PDF /JS object 22 at offset 0x2B09 35592 bytes
javascript_obj0024_001.js
0799a08d11f765cd61b1ad902c9e6dc3ccf598c6f14e2e62cc0f383a3ecf6636		 pdf-javascript-stream PDF /JS object 24 at offset 0x776B 118 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.