Malicious PDF — malware analysis report

Static analysis result for SHA-256 5179c675d40b5f80…

MALICIOUS

PDF

12.2 KB
MD5: 9962a20accf4c39ae2bd3ed23c694ddd SHA-1: 54d43dcdbb14676f654ad00c49494db344f75503 SHA-256: 5179c675d40b5f8065edd6b7114f6d324e38be19759d3ef0b2e741f7e3f56aa5
166 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF file was flagged as malicious by multiple heuristics, including a critical ClamAV detection (Pdf.Exploit.Agent-36365) and an ML classifier. It contains embedded JavaScript, which is likely used to exploit a vulnerability within the PDF reader. The embedded JavaScript file, 'javascript_obj0076_000.js', is the primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36365 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36365
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
d87a1947de89747848573a56d6bfbb38a7d182c981db4d5a9ebc4bf8a6999051		 pdf-javascript-stream PDF /JS object 76 at offset 0x369 11347 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36364
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.