PDF malware analysis — malicious · 2cb5f9a0f4c419e4

MALICIOUS

PDF

326.2 KB Created: 2017-02-15 11:14:12 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 60ed476bde19a1aecb1dddde1e44f44e SHA-1: 96e88653a36c97736bc28f0ced0a7399e25e5435 SHA-256: 2cb5f9a0f4c419e458f403ad73764a8b4788f29efc0f5a0c26aa085b9dc73414

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was detected as Unix.Trojan.PhpBackdoor-9354530-2 by ClamAV, indicating it contains a PHP backdoor. The presence of an eval() call within the PDF structure further supports its malicious nature, suggesting code execution capabilities. The document body appears to be heavily obfuscated or corrupted, preventing a clear understanding of its intended lure, but the backdoor detection is a strong indicator of a web server compromise attempt.

Heuristics 2

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off0000c18f.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xC18F	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.