PDF malware analysis — malicious · 1c93dfe86ddd34c7

MALICIOUS

PDF

326.2 KB Created: 2015-08-11 09:46:06 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 60234de1a8799e2c9fce045a7f2bad90 SHA-1: aefdc1f4a5f66871ce253697b11a0595a8174888 SHA-256: 1c93dfe86ddd34c743d9c3ea6a2d749f4dfd1d4d5911a98e3813f2d9efe335f8

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file triggered a critical ClamAV detection for Unix.Trojan.PhpBackdoor-9354530-2. A high-severity heuristic firing for PDF_EVAL indicates the presence of obfuscated JavaScript, which is commonly used to exploit PDF vulnerabilities. The eval() call suggests dynamic code execution, likely to download and execute a second-stage payload. The document body is heavily corrupted and unreadable, providing no further context.

Heuristics 2

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off0000c18f.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC18F	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.