PDF malware analysis — malicious · 341cf489904e76a3

MALICIOUS

PDF

145.9 KB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)

MD5: c7e0dea82570bd98d5a6e426b0a76457 SHA-1: ea5ddc20cd3bc86fbb6a7443535f4ade7719bfb3 SHA-256: 341cf489904e76a3eaecb256fcc27c02980a9e950d9a22007d96c7d5824c934a

206 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The sample is a PDF file flagged by multiple heuristics and ClamAV as a known exploit. It contains embedded JavaScript with an eval() call, indicating an attempt to execute arbitrary code. The JavaScript is obfuscated, but the presence of eval() and the exploit cluster firing strongly suggest it's designed to trigger a vulnerability within the PDF reader.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.Agent-35931 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35931
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.