PDF malware analysis — malicious · 2009da692147d6d3

MALICIOUS

PDF

300.8 KB Created: àEÓVR]UÉìqð-§ÔPÐª0@ Authoring application: Ïv~Îß²²:ÌäB0ãkÌ´aÎ[KÃfÄá (via å_MN ¯4©xÐò@Ô£.R¢+zs³¨ßø)

MD5: 2d96fb49db291420bf8f77f7731cfdee SHA-1: 9433dc542e217601da51877789054fc85b7b1147 SHA-256: 2009da692147d6d3e0c46c133a19a31eb57189946a278dc6d985f3b0a64457ed

64 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF is encrypted and contains no readable text, indicating it is designed to obscure its contents. Heuristics indicate it is an image-only lure and is flagged by ClamAV as Pdf.Exploit.Agent-22062. This suggests the PDF is intended to exploit a vulnerability upon opening, likely to download and execute a second-stage payload.

Machine Learning

Nyx PDF Classifier clean score 0.0008

Heuristics 3

ClamAV: Pdf.Exploit.Agent-22062 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22062
Encrypted PDF (string and stream contents are opaque to static scan) info PDF_ENCRYPTED

PDF declares /Encrypt — string objects and stream contents are encrypted with the standard security handler (RC4 or AES). On its own this is informational; legitimate encrypted documents include signed contracts, billing statements, and rights-managed material. Static heuristics cannot inspect encrypted payload bytes.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Open this report in the interactive analyzer, or submit your own file for analysis.