Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 0b2173ae77eb272a…

MALICIOUS

PDF / .SWA

7.3 KB Created: 2010-09-16 18:52:20 Authoring application: Qabifagevafa (via c00e0Tiqotezozav)
MD5: 270b677ebb33ac8fcd2197f9929770da SHA-1: fc8c8c68e74f2c46357faf0b5c48e5a28c8073c3 SHA-256: 0b2173ae77eb272a34e4553d52e51eb2f5ae533657af5fa05ce289e8845b2558
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, flagged by multiple heuristics, including a critical ClamAV detection for obfuscated objects. The JavaScript itself is heavily obfuscated, making its exact function difficult to determine, but it appears to be designed to execute further malicious code. This suggests the PDF is likely a delivery mechanism for a more complex attack, possibly initiated via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
ff85b44f7d06834e69a161aee8e28b7340c56fef50ee1649100cb6f376ea5386		 pdf-javascript-stream PDF /JS object 11 at offset 0x1364 2324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.