Malicious PDF / .SWA — malware analysis report

Static analysis result for SHA-256 1e914f681127f027…

MALICIOUS

PDF / .SWA

6.5 KB Authoring application: Tisilarehaue (via 52959Tibedegabala)
MD5: 7b91c24e3c38c9efb8c17d65b6d2e089 SHA-1: 15ed815d9e064ef10c2a581f86c0b96522f9aaf1 SHA-256: 1e914f681127f0277ce039bdf55e3df4fdb290b7e937135bedf63a63c0e5540a
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The critical ClamAV heuristic indicates this PDF is malicious, specifically identified as Pdf.Exploit.Agent-36142. The presence of embedded JavaScript, detected by PDF_JAVASCRIPT and PDF_JS heuristics, suggests an attempt to execute code. While the document body is unreadable, the JavaScript stream is the primary indicator of malicious activity. The exact function of the JavaScript could not be determined due to its size and potential obfuscation, but it is likely responsible for exploiting a vulnerability and delivering a secondary payload.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36142 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36142
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
d4dce4f95f7146e3b127d68edf45ceb045483a205d9e9a2a53d6e6b80d83b663		 pdf-javascript-stream PDF /JS object 10 at offset 0x1230 1728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.