Malicious PDF — malware analysis report

Static analysis result for SHA-256 27f2b164cbb9d24a…

MALICIOUS

PDF

116.3 KB Created: 2008-08-05 23:16:47 UTC Authoring application: Apple Keynote 4.0.3 (via Mac OS X 10.5.4 Quartz PDFContext)
MD5: ffd34f922e05d330de4aa02c34b92556 SHA-1: a06bdfd329f2db1595f4f876201a89ff5e2b2558 SHA-256: 27f2b164cbb9d24afef9e9fb5f760205c57c942e453d1983d1c6a430ec8c66fe
68 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Pdf.Exploit.Agent-22991, indicating it exploits a known PDF vulnerability. The presence of PDF_FROMCHARCODE heuristic further suggests obfuscated content within the PDF streams, commonly used to hide exploit code. No specific document body text or scripts were extracted to detail the exact lure or payload delivery mechanism, but the exploit itself is the primary attack vector.

Machine Learning

  • Nyx PDF Classifier clean score 0.0011

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-22991 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22991
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
icc_00_off00016b71.icc
94722fe267764797f8887379cc0d355f5118beb3d186e087bfbd9e1a3f2d3f49		 pdf-icc-profile PDF ICC profile at offset 0x16B71 1296 bytes
icc_01_off00016e8f.icc
2a18161bb96fd584d19e737ce294732789e0e8e6ae8c8e4e5f09f1b138232a63		 pdf-icc-profile PDF ICC profile at offset 0x16E8F 1456 bytes
font_00_sfnt_off0000c66b.bin
8a5509aac6957551a4e67cbce90559f5ed38cbad6ed2a25cbd07a406d2bad6a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC66B 39824 bytes
font_01_sfnt_off00013b30.bin
1cd589321f6c176bccad93177fe3bba6e3b1f175184f637489d68a082d30d515		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B30 4216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.