Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d411abae641aa1d…

MALICIOUS

PDF

7.3 KB Authoring application: Tooqimeqipigafara (via 522e8Renizaxizo)
MD5: 9bbdf807dcbc00e3b257ac94aac48faa SHA-1: 7c4ea7cfc52086f0416051fecd697c58a54c45f7 SHA-256: 0d411abae641aa1dabbe97bd089471cd3f3e4006ebc2436c6b06611e405bea04
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, identified by multiple heuristics and ClamAV detection. The JavaScript code is obfuscated but appears to be responsible for downloading and executing a secondary payload. The ML classifier strongly indicates maliciousness. Given the nature of malicious PDFs, it is highly probable that this file was delivered as a spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
b53e27bbdeba8c818850cc3826b3d643c06114ca0ccd161a827d53f8e26598c4		 pdf-javascript-stream PDF /JS object 10 at offset 0x130D 2214 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.