PDF malware analysis — malicious · 31360c5197f8c61a

MALICIOUS

PDF

809.3 KB

MD5: af061f8c63cd1d4ad83dc2bf81f36af8 SHA-1: 70cdced00da7f75032869c19a170b3620a5d8fad SHA-256: 31360c5197f8c61a6d0e9204d00a6aacbe075639750b91eb96d4264a56cae4b2

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple heuristics, including critical ClamAV detection for 'Pdf.Dropper.Agent-1507050' and a high ML score. The presence of embedded JavaScript and XFA form elements indicates a likely attempt to execute malicious code. The primary function appears to be acting as a dropper for further malicious activity.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 4

ClamAV: Pdf.Dropper.Agent-1507050 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-1507050
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_000_off0006d90c.js` `dcefc16710d335e69f60cdd8a0e174d43939d02eaa8dd4c6d7ce4ca63f06495b`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x6D90C	289498 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.