Malicious PDF — malware analysis report

Static analysis result for SHA-256 106b05d58e21d5fe…

MALICIOUS

PDF

74.1 KB Created: 2009-09-09 11:18:27 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: a742017e862805a94f80884856d5d962 SHA-1: d9c93941999e0a1547f23d65b66492b166d6d84c SHA-256: 106b05d58e21d5fe38933aed9703c64087ba0b33e9660e2c00d6dc0a2899271e
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by ML classifiers and ClamAV, indicating it contains an exploit. Embedded JavaScript streams were extracted, with the largest one containing obfuscated code that appears to reconstruct a string and execute it. This behavior is consistent with downloading and executing a secondary payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9378

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-22551 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22551
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
af5ad937881a332c431302971b150616aace46a4f2bab322f65557146d4e4f2c		 pdf-javascript-stream PDF /JS object 25 at offset 0xE843 24061 bytes
javascript_obj0026_001.js
185e7d70003d547acd5ef0487fd37cc39f111eba54fed8aa9bc2b268ecda9c4a		 pdf-javascript-stream PDF /JS object 26 at offset 0x11F8A 251 bytes
javascript_obj0027_002.js
3bcd9c0bcda5fe81b8deef4c2fa6ced929080505a3fdd2efc3ec866bae554833		 pdf-javascript-stream PDF /JS object 27 at offset 0x1208D 209 bytes
javascript_obj0028_003.js
0827f41f33a23b24e16b3a826b8b1c092658c73fe6faee0b85f41649970ec2fa		 pdf-javascript-stream PDF /JS object 28 at offset 0x12170 166 bytes
javascript_obj0029_004.js
9a64d20a2f47e8f11a4ba2f60d52db909fdb7fd05b796b6128a0a3c0089ddfac		 pdf-javascript-stream PDF /JS object 29 at offset 0x12236 196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.