Malicious PDF — malware analysis report

Static analysis result for SHA-256 2de9fcdd8ea7aff9…

MALICIOUS

PDF

31.6 KB
MD5: 162bc61d6fc307e9dd812b1f03b47cc0 SHA-1: f277962822640066d0f96fb9151e854277b67b60 SHA-256: 2de9fcdd8ea7aff9809f2b814b033d45340c4d669ab80b347e9fd971520c226a
146 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple high-severity heuristics, including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL, indicating the presence and execution of JavaScript. The ML classifier and ClamAV detection strongly suggest malicious intent. The eval() call within the JavaScript stream is particularly concerning as it allows for the execution of arbitrary code, a common technique for downloading and executing second-stage payloads. The ClamAV detection name 'Pdf.Dropper.Agent-7685771-0' further supports the dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7685771-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7685771-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0032_000.js
d59e4397008235fb1ff6aedb03f8064335762770f41e5c92003507a5e8be09fc		 pdf-javascript-stream PDF /JS object 32 at offset 0x2CA 3073373 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.