Malicious PDF — malware analysis report

Static analysis result for SHA-256 2b88777ee8f67a97…

MALICIOUS

PDF

135.3 KB Created: 2009-11-01 11:53:18 UTC Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.0)
MD5: c07ba83bcc8b88b3e99c5ea38b3d801f SHA-1: 32c4ad21b9cd76ea5222f4fe4a4d33fbc054e6df SHA-256: 2b88777ee8f67a9763901acc58efaf50e1f7cd9fdc07f6675af5279bab4eda02
156 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, with multiple heuristics indicating obfuscation and the use of eval() and String.fromCharCode(). This strongly suggests the script is designed to download and execute a secondary payload. The ClamAV detection of 'Pdf.Dropper.Agent-7243378-0' further supports its role as a dropper. No specific family could be identified due to the generic nature of the dropper and lack of further indicators.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9672

Heuristics 7

  • ClamAV: Pdf.Dropper.Agent-7243378-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7243378-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0028_001.js
4b024e23c65bfca25f3ae333f366444cecd6a5c9b6de4aa5317d59031ba7404c		 pdf-javascript-stream PDF /JS object 28 at offset 0x8C0 125 bytes
javascript_obj0030_002.js
75de26c7269a06fc7825d89a4493e04c155efbc3d382c286d2ca06aa600a7a01		 pdf-javascript-stream PDF /JS object 30 at offset 0x9B2 164 bytes
javascript_obj0032_003.js
d9b0adb46e43b8cd8f2eb61236ec7a0221ad24b9a1f7645cda6a8eab5b3017a2		 pdf-javascript-stream PDF /JS object 32 at offset 0xBA2 71 bytes
javascript_obj0033_004.js
23848f82ba8dd1727256c379d74d46b173e4203c87038b552108fe1a31085ace		 pdf-javascript-stream PDF /JS object 33 at offset 0xC24 226 bytes
javascript_obj0034_005.js
87df0063dd37411bf7c05daea98911845ff37309944eb19a3a431442ccb6b0c5		 pdf-javascript-stream PDF /JS object 34 at offset 0xD4D 123 bytes
javascript_obj0039_008.js
b57072fe6fed59a2d996e2c9fbe887d410c7a573c06ce560f98eaa0b56e33aae		 pdf-javascript-stream PDF /JS object 39 at offset 0x1068 48 bytes
javascript_obj0040_009.js
95c4b23f30af1b8aa7b6773cce9f7b5104eed8f0d0421e880b0dc6617df11a0b		 pdf-javascript-stream PDF /JS object 40 at offset 0x10CF 75 bytes
javascript_obj0031_010.js
5ff66e5bc3d0a03802dae5f6ac2be67a30736471c289347332751c7c0cad269f		 pdf-javascript-stream PDF /JS object 31 at offset 0xA99 350 bytes
javascript_obj0037_011.js
47dcb0f74a1455cf5ab1be391b91fea4dd0f57a1ba23cc0302991a79c6f44034		 pdf-javascript-stream PDF /JS object 37 at offset 0xE77 839 bytes
javascript_obj0042_012.js
bb24839c735b75b5a17c5d1f306f9bfd75adf0eea4cd379fbd5a4e7df263cdc5		 pdf-javascript-stream PDF /JS object 42 at offset 0x117B 680 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
javascript_obj0076_013.js
05e1122f756212b91add060dc4fa0d1cc8b96dd408c16f47c5a582388c0f57f8		 pdf-javascript-stream PDF /JS object 76 at offset 0x15399 753 bytes
javascript_obj0078_014.js
9a9e7241c61581528f45af5343bbcafcfc879727473a28e8214e81ade2c8866a		 pdf-javascript-stream PDF /JS object 78 at offset 0x1556B 1809 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_008_off00002f45.js
1543e9aa82f174befe9cad258b5c79a1d678664173ad95e6844c24a1a8e03126		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F45 594 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
stream_028_off000195d7.js
5035bc3b6b32267e2f8b6b1b003ca05a01ed39386941cb57174748b2232837db		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x195D7 839 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.