Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ac372a91948b42e…

MALICIOUS

PDF

37.7 KB Created: 2010-04-11 03:39:57 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))
MD5: 3fb087c5c8def9552b4b155ac832062f SHA-1: 43cb109437ef72cb7381c0e7b1b8a412ab317e76 SHA-256: 2ac372a91948b42ee3c31bdfaa7cf7da1702819001af0faf272c445f42458075
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ClamAV detection of 'Pdf.Exploit.Agent-22098' strongly suggests a known exploit is present. The embedded JavaScript is likely responsible for triggering the exploit, leading to the execution of malicious code. No specific IOCs beyond the ClamAV signature were extracted.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-22098 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22098
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
b383836c23bd825eb719d5d7ff178d2fe4007c7585fcd77b583fc4cfbe682b6e		 pdf-javascript-stream PDF /JS object 10 at offset 0x8C87 1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.