Malicious PDF — malware analysis report

Static analysis result for SHA-256 43152febdb1277df…

MALICIOUS

PDF

446.3 KB Created: 2015-07-11 17:33:43 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 2c9016981b40b250ad0088aa1b013350 SHA-1: 5a1a5521ed2a099d045bd681e5643f967c86fdfc SHA-256: 43152febdb1277df2be5e1d9e5df818b43981894257f155450b3a96be3df7ad4
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript

The file is a PDF with a high confidence malicious classification from a ML classifier and ClamAV detection as Unix.Trojan.PhpBackdoor. The PDF_EVAL heuristic indicates the presence of executable code within the PDF structure. While the document body is heavily obfuscated and unreadable, the presence of eval() and the ClamAV signature strongly suggest the PDF is designed to execute malicious code, likely a backdoor or downloader.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9928

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000bce0.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBCE0 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.