Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ed07491abb912e6…

MALICIOUS

PDF

30.1 KB Created: 2010-02-13 12:47:56 +03:00 Authoring application: [\^\$D#@] (via b9a8f4af85454f7c56c06f0a39e7ec23)
MD5: 08f4ff6d84beb922c268e8ecdec1bca2 SHA-1: a45b64d4c6ef074f25a772c841b2041fa118189c SHA-256: 1ed07491abb912e6eda69b619b59f9bc5d98f108aa06a6517609236bc3426587
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.002 Spearphishing Attachment

The PDF contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier and ClamAV detection strongly suggest malicious intent, with ClamAV identifying it as Pdf.Dropper.Agent-7006997-0. The presence of JavaScript actions and filters like ASCIIHexDecode and ASCII85Decode, often used to obfuscate malicious code, points to the file's likely purpose of exploiting vulnerabilities to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7006997-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7006997-0
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0020_000.js
4d296755221fb23f57cd26c2c5fdbb3564737d99a2621338ae75c02cc2ad9a7f		 pdf-javascript-stream PDF /JS object 20 at offset 0x276B 34958 bytes
javascript_obj0022_001.js
2f3f3bbf7764ab3ce194008d78236122d5464c3c3fe662e0ce269dc21159ea28		 pdf-javascript-stream PDF /JS object 22 at offset 0x71EB 118 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.