PDF malware analysis — malicious · 49af1efef6fdd710

MALICIOUS

PDF

12.8 KB

MD5: 7efce6a47835aaca25d02cb20b3d6d3e SHA-1: 6a3bc49aae053bf5a879640cfd65b616e81fe9ba SHA-256: 49af1efef6fdd710ab834ac0629d6ab35bcce71c50e79420aed0370af1c11e5c

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detection 'Pdf.Exploit.Dropped-94' and the high heuristic 'PDF_METADATA_EVAL_STAGER' indicate that this PDF is designed to execute JavaScript from its metadata. This JavaScript likely acts as a stager to download and execute a secondary payload. No document body text was available for further analysis, but the presence of JavaScript execution and the ClamAV signature strongly suggest a malicious intent.

Heuristics 4

ClamAV: Pdf.Exploit.Dropped-94 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-94
PDF metadata JavaScript eval stager high PDF_METADATA_EVAL_STAGER

PDF JavaScript reads document metadata fields such as title, subject, or producer, decodes character data with parseInt/String.fromCharCode style helpers, and evals the recovered stage. This is a high-signal exploit-kit staging pattern.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0076_000.js` `a3027ef661666c1d976f9471482246cb32d766cb5a5921aaa3d6c729f55611cf`	pdf-javascript-stream	PDF /JS object 76 at offset 0x3123	331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.