Pdf.Dropper.Agent-7212560-0 — PDF malware analysis

Static analysis result for SHA-256 502293e2e419933f…

MALICIOUS

PDF

74.0 KB Created: 2009-09-09 11:18:27 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 535abf5702d8f3de247b5103e31150f5 SHA-1: bb96885e4cebb6fb529ba1f416bfa7b9182ae41a SHA-256: 502293e2e419933f99b948023bb826c204a93d6636fb092b3d166df14e196c27
86 Risk Score

Malware Insights

Pdf.Dropper.Agent-7212560-0 · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection name 'Pdf.Dropper.Agent-7212560-0' strongly suggests this is a dropper. The JavaScript is likely responsible for downloading and executing a secondary payload, a common technique for PDF-based malware. The PDF_IMAGE_ONLY_LURE heuristic indicates the document may be designed to trick users into interacting with it by presenting an image without actual text content.

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-7212560-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7212560-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
d92fb7470e750b9a097b824b2fc1b6fbb1841032d813f58225414e1844d67503		 pdf-javascript-stream PDF /JS object 25 at offset 0xE843 23990 bytes
javascript_obj0026_001.js
036197a3773b42aa4cf58bc88bec4c3a3d61652db00d98e3b2e3bce3f39583b9		 pdf-javascript-stream PDF /JS object 26 at offset 0x11F68 217 bytes
javascript_obj0027_002.js
88d776c9c31b58329ae9b3ceab68fa3ff97727f5a26d83601db59ed4ee150509		 pdf-javascript-stream PDF /JS object 27 at offset 0x12068 191 bytes
javascript_obj0028_003.js
533c8f1e0d40313d5ab3ad135144190f644de656939bdc3ccaf1e5a5bf139c42		 pdf-javascript-stream PDF /JS object 28 at offset 0x12146 132 bytes
javascript_obj0029_004.js
4eea82a81c35b7b26af5a2c794277d8055e48e97f1a8481aaca0aab2235dd5ef		 pdf-javascript-stream PDF /JS object 29 at offset 0x121FB 204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.