Pdf.Dropper.Agent-7249572-0 — PDF malware analysis

Static analysis result for SHA-256 380ba8f37e6d465a…

MALICIOUS

PDF

55.9 KB Created: 2009-07-11 08:11:56 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 46317dd5d77abdb2d024eddd3e52e2c1 SHA-1: becdce16cd8557e1b45024cbc93ec8fadc3851b9 SHA-256: 380ba8f37e6d465aeeb36d75551dfcf4de0ad7c8a640851e7cdd8ecf4f7a4c66
78 Risk Score

Malware Insights

Pdf.Dropper.Agent-7249572-0 · confidence 85%

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was identified as malicious by ClamAV with the signature Pdf.Dropper.Agent-7249572-0. Static analysis revealed embedded JavaScript streams, indicating the PDF is designed to execute code. The presence of JavaScript actions and streams strongly suggests the file's intent is to download and execute a secondary payload, a common dropper behavior. The PDF itself contains no readable text, relying on its embedded scripts for malicious functionality.

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-7249572-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7249572-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xap/1.0/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0034_000.js
28c0401769a357dc37763aac2d760aa3d0f0e9b986d0ca928a8ccca051b35202		 pdf-javascript-stream PDF /JS object 34 at offset 0xAFBD 43801 bytes
javascript_obj0035_001.js
2a4b4c404e293c0dd5afc31fd7c3a92f8b39575bb28c77665d996d27efc713c2		 pdf-javascript-stream PDF /JS object 35 at offset 0xD82F 270 bytes
javascript_obj0036_002.js
e0b962c67bdba52b64b31e8b9d3c3fe3539d643c8f852577d39e60225d28411a		 pdf-javascript-stream PDF /JS object 36 at offset 0xD957 222 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.