Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cc2df8e7c95395b…

MALICIOUS

PDF

37.2 KB Created: 2010-03-01 06:45:04 +03:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))
MD5: e538087771722e6705be44c423642437 SHA-1: 9452dcabc757951d44028def00c692b8c8d7a15a SHA-256: 4cc2df8e7c95395b8db2a1008db359b8aacf36ca82e228fc1f3b0ebfbba9f36f
114 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV detection and high ML score indicate this PDF is malicious. The presence of embedded JavaScript, identified by multiple heuristics, strongly suggests an exploit attempt. The JavaScript is likely designed to download and execute a secondary payload, as indicated by the 'Pdf.Exploit.Agent-13743' ClamAV signature. The document body contains garbled text, offering no user-facing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-13743 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-13743
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
775fc8a92c9d7d3bdfb12e152675324f97c75ec47c85e9b4b6352b96f6951cac		 pdf-javascript-stream PDF /JS object 10 at offset 0x7072 8038 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.