Win.Trojan.Agent-36166 PDF malware analysis — malicious · 1915d0f791107088

MALICIOUS

PDF

14.5 KB Created: 2009-11-15 19:41:70 Authoring application: PDF Library 4.3.9 (via PDF Library 3.9.7)

MD5: 8ddcfa85b9e3ecb06fd2fd97cf4b21af SHA-1: 7d876701488d951892c320cc258ce803f81ea919 SHA-256: 1915d0f7911070880fb9051ed87f1423f7d34abe69d710f334d9e457e5df6220

106 Risk Score

Malware Insights

Win.Trojan.Agent-36166 · confidence 95%

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating the presence of embedded JavaScript. This JavaScript is likely intended to exploit a vulnerability within the PDF reader to execute arbitrary code, a common technique for delivering further malicious payloads. The specific ClamAV detection name suggests a trojan agent.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

ClamAV: Win.Trojan.Agent-36166 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36166
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0007_000.js` `e35debcc598c9943c3d4778aaacffc1c39ab028c284077c6c185f4a6816e172f`	pdf-javascript-stream	PDF /JS object 7 at offset 0x1A5	74985 bytes
Detection ClamAV: Win.Trojan.Agent-36166 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.