Malicious PDF — malware analysis report

Static analysis result for SHA-256 1400fa5414e34714…

MALICIOUS

PDF

1.9 KB Authoring application: sli
MD5: bfcbe2062746b3ef44ff989f62e4cd4f SHA-1: b575e1cb279d4288ee1e77096e794bc535eb4d29 SHA-256: 1400fa5414e34714a0ea166bc136a3fdcd6d5308ccf141666683f21ee4068dd7
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by multiple engines, including ClamAV and an ML classifier. It contains embedded JavaScript that is heavily obfuscated but appears to be designed to execute arbitrary code. The script's functionality is to download and execute a second-stage payload, indicated by the use of eval and string concatenation to construct commands. The specific JavaScript execution and exploitation of a PDF vulnerability point to a common malware delivery technique.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Exploit.Dropped-91 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Dropped-91
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
29e18a634b19cbe6fecff825675bc222a87b8701107adedd01b6cb70d4e122b4		 pdf-javascript-stream PDF /JS object 76 at offset 0x426 548 bytes
deobfuscated.js
242e528e0878a737125bedd52c6aca51d087342bdf6b920cd341b511f8e2361a		 deobfuscated-js PDF JavaScript deobfuscation pass 1213 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.