Pdf.Dropper.Agent PDF malware analysis — malicious · 39a8c7414bb27147

MALICIOUS

PDF

56.7 KB Created: 2009-12-20 15:16:05 +03:00 Authoring application: tendChunk (via 29ddbdb402491a6aa97964a8139a1356)

MD5: 2b8417b069b627c3322b2ebfdda17e90 SHA-1: f2ef273932ba3856fc8cb60c54d9139319321aae SHA-256: 39a8c7414bb27147df74195b8c9816d389982e8c73ef6b851aa99282b64bb874

116 Risk Score

Malware Insights

Pdf.Dropper.Agent · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is identified as a malicious PDF dropper by ClamAV and a machine learning classifier. It contains multiple embedded JavaScript streams, indicating an attempt to exploit PDF vulnerabilities and execute malicious code. The presence of JavaScript actions and embedded JS streams strongly suggests the execution of a secondary payload, consistent with dropper behavior.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7250481-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7250481-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `638d3aa4e344bf47f9494cbf83e4319461aba47c981a0cab60a7466d0cdf499b`	pdf-javascript-stream	PDF /JS object 17 at offset 0x27B4	2276 bytes
`javascript_obj0018_001.js` `bc9abd813c594c41094459d89c5768ceae8d428c0804d1840ccc76795c0357c8`	pdf-javascript-stream	PDF /JS object 18 at offset 0x30E8	4096 bytes
`javascript_obj0019_002.js` `1cc38e69ef3f47ebab20875184bc64870248f66dd94121757e588b6ba957cb38`	pdf-javascript-stream	PDF /JS object 19 at offset 0xC707	1858 bytes
`javascript_obj0020_003.js` `879b08c49108aabf9a705f599686ef0906dec891420bb1f939bf8aa60adcca54`	pdf-javascript-stream	PDF /JS object 20 at offset 0xCE92	1470 bytes
`javascript_obj0021_004.js` `c6e50c24b3abb0e05cf6597f551fbeaa284406817931c4c69b11d4f71e597cc3`	pdf-javascript-stream	PDF /JS object 21 at offset 0xD494	2104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.