Malicious PDF — malware analysis report

Static analysis result for SHA-256 1a2c4d4a3d120576…

MALICIOUS

PDF

353.0 KB Created: 2010-04-02 10:55:48 +08:00 Authoring application: Foxit PDF Creator Version 3.0.1.0109
MD5: d9fc5c6c782ee8710892d2c13f35b192 SHA-1: 30e09363dbccdd02202ffca62fceddf245ca0450 SHA-256: 1a2c4d4a3d120576df7ca963087b97c2ce77790f8fc47036afbd20fff1f2d315
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates the file is recognized as a malicious PDF exploit (Pdf.Exploit.Agent-21047). Low-severity heuristics confirm the presence of embedded JavaScript, a common vector for PDF exploits. The embedded JavaScript is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier clean score 0.0014

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-21047 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-21047
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
080a4ebe6bdf70130047bc988b1601264a6d9a3ba87892c69d881a5ebe301a6b		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
icc_00_off0003708e.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x3708E 3144 bytes
font_00_sfnt_off0004c127.bin
d3cea11cb6d1461a3db746ade4a1db3ab112a6309220ce73d3f17e0e7768978e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C127 23240 bytes
font_01_sfnt_off0004ff22.bin
96ecba17338af0a1d58fd48e8a8e077e06c17a9f121f7734ac229b85861ac578		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4FF22 36660 bytes
font_02_sfnt_off00055ed8.bin
266277d99fba691df67d1792e251c5cc4cd6391443cc0d27ba3b5598a728df6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55ED8 15248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.