Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f509116639e9f4b…

MALICIOUS

PDF

132.8 KB
MD5: 299dcad12ae62cb798d279dd8b36124d SHA-1: ff1ef09eadf4ecc11e8592721577b049a5b8f3aa SHA-256: 1f509116639e9f4b077fef91bbd7f8fe347b2149e68ce37a0a4f1cafd2b07b96
168 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF contains embedded JavaScript, flagged by multiple heuristics as malicious. ClamAV detections indicate it's an exploit targeting PDF documents and an extracted JavaScript artifact. The primary function appears to be the execution of this JavaScript, which is likely designed to download and execute a further malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36388 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36388
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
b4c32e8b32ae32b6b2e0ae6b1d99b00a2ec4a6bc4646aeaf969e7106c75ad060		 pdf-javascript-stream PDF /JS object 76 at offset 0x2C2 119622 bytes
Detection
ClamAV: Js.Exploit.HTML-27
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.