MALICIOUS
112
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The sample is an encrypted PDF flagged as malicious by ClamAV and an ML classifier. Static triage identified obfuscated JavaScript within an embedded stream, indicating the PDF likely exploits a vulnerability to execute this script. The JavaScript is the primary artifact of interest for further analysis, as it is expected to download and execute a second-stage payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.5781
Heuristics 3
-
ClamAV: Pdf.Exploit.Agent-19804 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-19804
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTEDPDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_009_off0000199b.js49cd727e74241a9553a47752213e9424f7195575cc0f9460748997e149bd03bd |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x199B | 48953 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long hex-escaped blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.