Malicious PDF — malware analysis report

Static analysis result for SHA-256 327be2eeb5a3cabe…

MALICIOUS

PDF

9.4 KB
MD5: 1ae65dd5d9a4b0e25fa31cd52459df9e SHA-1: a2a5d50e009e68c4f4b8ec86978b69666f6f4c69 SHA-256: 327be2eeb5a3cabe574c6b1ca3a237170090ea985361a775fdf77137f396a548
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains embedded JavaScript, flagged by heuristics as a malicious script payload. ClamAV identifies the file as 'Pdf.Dropper.Agent-7246692-0', indicating its role as a dropper. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7246692-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7246692-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00001c8b.js
f9bcdcfc364651aefc531e2162ffac4fa26669b768e999d28bd4f56114a8428e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C8B 2857 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
acroform_b64_00.js
415a37f9696e36a64fb7f732b1dee5a1b444603230c7345c30862b24ac3b2e35		 deobfuscated-js PDF AcroForm base64 (decompressed) at offset 0xE6 8528 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.