Unix.Trojan.PhpBackdoor-9354530-2 — PDF malware analysis

Static analysis result for SHA-256 5432532d9bbb586e…

MALICIOUS

PDF

291.4 KB Created: 2017-03-08 09:02:52 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: e2ff739afb21e7d8322e1f43d0e96571 SHA-1: 4813658aa0b4b64994b23805c38dceeedc37d2cf SHA-256: 5432532d9bbb586eb24ce25966295bbabf726b753fdb1cbe9911939d4baabfb1
132 Risk Score

Malware Insights

Unix.Trojan.PhpBackdoor-9354530-2 · confidence 95%

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The PDF file was flagged by ClamAV as Unix.Trojan.PhpBackdoor-9354530-2, and heuristic analysis detected an eval() call, strongly suggesting malicious intent. The ML classifier also assigned a high probability of maliciousness. The document body was unreadable, but the combination of ClamAV detection and the eval() heuristic indicates the presence of a backdoor.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9907

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000b8c5.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB8C5 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.