PDF malware analysis — malicious · 4968298a0b11882d

MALICIOUS

PDF

400.9 KB Created: 2014-09-12 11:53:46 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 06adfc22a7cb15a4c866dccf73dc2ca3 SHA-1: d9c37c271b5f0732f2c3a77a35eb1f3746fc0114 SHA-256: 4968298a0b11882ddcfd4108f950180597d8da1c21d7dd819eef5ea056027ebf

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Unix.Trojan.PhpBackdoor-9354530-2'. The presence of an 'eval()' call within the PDF structure strongly suggests the execution of embedded JavaScript, a common technique for delivering second-stage malware. While the document body is unreadable, the combination of the ClamAV signature and the eval heuristic indicates a malicious intent, likely to download and execute further payloads.

Machine Learning

Nyx PDF Classifier malicious score 0.6705

Heuristics 2

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off0000bebd.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xBEBD	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.