MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains embedded JavaScript, flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Dropper.Agent-7230520-0'. The JavaScript appears to be obfuscated but is designed to download and execute a secondary payload, a common technique for malware droppers. The primary attack pattern is likely spearphishing attachment, with the JavaScript acting as the execution mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.8846
Heuristics 3
-
ClamAV: Pdf.Dropper.Agent-7230520-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7230520-0
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0087_000.js77689440bf7df6a5fcd6349327d2128c6cb1f4106ac3f1a985d89cad1a167515 |
pdf-javascript-stream | PDF /JS object 87 at offset 0xF22C | 23609 bytes |
javascript_obj0088_001.js29ceacbae847dcd89510f7ff0e6519e55d927bbc350e539970738b8da7a75343 |
pdf-javascript-stream | PDF /JS object 88 at offset 0x128A4 | 212 bytes |
javascript_obj0089_002.jsfa112fb292d3c180168484f084b8d6e3e87d6074f1ff99b5d3cc6b97f67d8c83 |
pdf-javascript-stream | PDF /JS object 89 at offset 0x1299A | 175 bytes |
javascript_obj0090_003.jsf8bee4253c58ea81fb5acad6c6791b46e8622c56127c73e0c9fef5bad0b7991a |
pdf-javascript-stream | PDF /JS object 90 at offset 0x12A6E | 169 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.