PDF malware analysis — malicious · 4e6b0e7f863757e7

MALICIOUS

PDF

37.8 KB Created: 2010-04-13 19:19:32 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: f80a620b1110d817cc4e31cba5525a9d SHA-1: 15fc02783241349c8b5cae4af2f1051ad1e51620 SHA-256: 4e6b0e7f863757e78a164d4e5087ac4e45a3efef98166f4b8459dcf20ded8129

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1559.001 Component Object Model

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically targeting a PDF exploit (Pdf.Exploit.Agent-22273). The embedded JavaScript is likely responsible for executing the exploit, leading to a malicious outcome. No specific IOCs like URLs or hashes were extracted from the provided evidence.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Exploit.Agent-22273 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22273
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `af71f88c37ca6bf3b4f5df3c60d36a93a11bd6f605eab9870fbd6a551ae5be0e`	pdf-javascript-stream	PDF /JS object 10 at offset 0x8CDE	1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.