PDF malware analysis — malicious · 20f8e840c8d73056

MALICIOUS

PDF

10.1 KB

MD5: 0b0c63309dc2714a45dbbc01dfdd14d7 SHA-1: 1f9d87d9e3801c4d01dabba31b2ca051026a3c38 SHA-256: 20f8e840c8d73056c776042fd9010aaa4cf48ea490d89bcbf99a14ab4058840d

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Dropper.Agent-7238095-0' and a high ML score indicating maliciousness. The presence of embedded JavaScript, indicated by 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics, suggests the document is designed to execute code. The large size of the embedded JavaScript stream (27547 bytes) further supports the likelihood that it is used to download and execute a second-stage payload. The document body content is unreadable, providing no further clues.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7238095-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7238095-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0044_000.js` `0fc75f19916c67c87d1d403a1f04a3c869078cc76ada66d9293233834eeabe01`	pdf-javascript-stream	PDF /JS object 44 at offset 0x14C	27547 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.