MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF contains multiple embedded JavaScript streams, with one stream being particularly large and heavily obfuscated. Heuristics and ML classification indicate malicious intent, and ClamAV identifies it as a known dropper. The JavaScript likely downloads and executes a second-stage payload, a common technique for malware distribution.
Machine Learning
- Nyx PDF Classifier malicious score 0.8846
Heuristics 3
-
ClamAV: Pdf.Dropper.Agent-7417865-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7417865-0
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0087_000.js47a5835193a7c2a5617505f6240e07d9a1d01e9772beb0972dd21865628041fd |
pdf-javascript-stream | PDF /JS object 87 at offset 0xF22C | 23692 bytes |
javascript_obj0088_001.js3d8b1723c9ade390c55341570e3e8fda2a7c4b00ad038f6db96eb4f75cf84904 |
pdf-javascript-stream | PDF /JS object 88 at offset 0x128AF | 222 bytes |
javascript_obj0089_002.jsfc791c5e473cc1ae7b17bb45efc346ed6f45b4ef2dd6bb19d21453aba54c2566 |
pdf-javascript-stream | PDF /JS object 89 at offset 0x129AE | 224 bytes |
javascript_obj0090_003.jsb56b30d0148454c230c55350badc251a32818b1a6ba37b418306742cdf68bdad |
pdf-javascript-stream | PDF /JS object 90 at offset 0x12A8F | 172 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.