Malicious PDF — malware analysis report

Static analysis result for SHA-256 1560ef47398e74d8…

MALICIOUS

PDF

27.7 KB
MD5: c97222dde3d988dc0f7cfa90bf996d1c SHA-1: 7d492bab424e3842f8851cd2d096b3cffdb752bc SHA-256: 1560ef47398e74d881c2d482480d56a2d7bf9d8394e53ad3a3913f39cdfe6228
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating it likely contains an exploit. Embedded JavaScript streams were extracted, suggesting the execution of malicious code. The primary function of the JavaScript appears to be the execution of a second-stage payload, as indicated by the heuristic firings and the nature of the extracted scripts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
61b3342009ae549a644b2e10adebd5cd212e67b62521943dba1c751251323a7e		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
b0153d96db343d2357da9e81a37a10ad7ddff9a176709851c329d97c409532d9		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
fa75fab769c31b525ecb13284cc9d40fabda089460abf9faf6164aca5fca7b00		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.