Malicious PDF — malware analysis report

Static analysis result for SHA-256 311a067eb1dfab6b…

MALICIOUS

PDF

14.7 KB Created: 2009-11-15 19:41:70 Authoring application: PDF Library 4.3.9 (via PDF Library 3.9.7)
MD5: 068146b1b32687a0a1f1c347eb3fffd9 SHA-1: 869f3c1eacbf4901f46e59394b7be2fb23a3ca9f SHA-256: 311a067eb1dfab6bed14b58b303e1896bb419c882a74101626ebc7126848a22f
136 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The file is a PDF containing embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV detections (Win.Trojan.Agent-36166) on both the main file and an extracted artifact confirm its malicious nature. The embedded JavaScript is likely responsible for executing the malicious payload, as suggested by the ClamAV detection name.

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36166 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36166
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
5427917402ca7694bd85845ef0963d0b6b9f30f485b8cc38c03d6975f09bb93a		 pdf-javascript-stream PDF /JS object 7 at offset 0x1A5 76118 bytes
Detection
ClamAV: Win.Trojan.Agent-36166
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.