Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ee6c1102faf056d…

MALICIOUS

PDF

14.6 KB Created: 2009-11-15 19:41:70 Authoring application: PDF Library 4.3.9 (via PDF Library 3.9.7)
MD5: 12db5f9b3b3df55251e264c50492721a SHA-1: 41fdaac15dba14fe5c78f75f4aa1c5dd6ba5e58b SHA-256: 2ee6c1102faf056d073c9bccf750d363b1889d13b82a95aa6fd0a232494a023a
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV detections (Win.Trojan.Agent-36166) confirm its malicious nature. The embedded JavaScript is likely responsible for executing the malicious payload, potentially leading to the download and execution of further malware. The specific JavaScript content was too obfuscated to determine its exact actions, but the overall pattern suggests a common exploit delivery method.

Heuristics 3

  • ClamAV: Win.Trojan.Agent-36166 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36166
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
6dddecd9fdc341adb5277d496d6cd6892f504b282dde5d3b8fe4f7279c46b6fc		 pdf-javascript-stream PDF /JS object 7 at offset 0x1A5 76112 bytes
Detection
ClamAV: Win.Trojan.Agent-36166
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.