Malicious PDF — malware analysis report

Static analysis result for SHA-256 2843bb5a0103e0ef…

MALICIOUS

PDF

21.5 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: 9b17a52b672ecad75f0e54145a978733 SHA-1: 990b4ed5906ba9237a931b32627a660c302aa745 SHA-256: 2843bb5a0103e0efa3dbfa02575350843e85dfaff675ca2f555ec0782c199f9d
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript with multiple eval() calls, a common technique for obfuscating malicious code. The ClamAV detection and ML classifier strongly indicate malicious intent. The JavaScript likely decodes and executes a payload, as suggested by the eval() calls and the presence of PDF-specific JavaScript actions. The specific payload or delivery mechanism beyond the initial JavaScript execution is not fully discernible due to obfuscation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7241886-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7241886-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.