PDF malware analysis — malicious · 0c1d366bc64bcb3b

MALICIOUS

PDF

7.7 KB Authoring application: Qimigiwova (via ad556Bashemeriwesohitaro)

MD5: c63ab6dbf06a5791d1e2108e3a751c86 SHA-1: a51df09d1e4132fb58a90a00f131661cec3eb66e SHA-256: 0c1d366bc64bcb3b363bcb495f9477903aa04f085f9df963db203864e942a6b3

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, flagged by multiple heuristics, including a critical ClamAV detection for obfuscated objects. The JavaScript code, when deobfuscated, appears to construct a URL from concatenated strings and then execute it, likely to download and run a secondary payload. This behavior is characteristic of a downloader or droppers used in initial access via spearphishing.

Machine Learning

Nyx PDF Classifier malicious score 0.9989

Heuristics 3

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `ed31b16df2b6492a4d5be85b534deca964c2f0e07a8443782787f4ed9c62c93c`	pdf-javascript-stream	PDF /JS object 10 at offset 0x1303	3192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.