Malicious PDF — malware analysis report

Static analysis result for SHA-256 546a787a4f7df137…

MALICIOUS

PDF

62.6 KB Created: 2017-06-02 11:53:56 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 18238d303b368c0932fbd3083198f51d SHA-1: 55fe07081ce4d835081532d84e3c42b5c303f77c SHA-256: 546a787a4f7df13720f89afde13623fbe21d65267e4178b2c395c43c1fcd2c7e
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a dropper. It contains embedded files and a JavaScript stream. The embedded artifacts, including a .zip file and Office documents, along with the JavaScript, suggest the PDF's primary purpose is to download and execute a secondary payload. The ClamAV detection names 'Pdf.Dropper.Agent-7212911-0' and 'Doc.Downloader.Jaff-6329915-0' further support this dropper functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7212911-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7212911-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
381DKNVX6TT814.zip
903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0xA62 116 bytes
0.docm
f4632ca7e63bdb96ee9d6fb0c4bcb558b69612fff5c8771ff8489d18fb1dfe1d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xBC2 11370 bytes
1.xlsx
95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x2EDF 7723 bytes
381DKNVX6TT814_1.txt
24d49be13a6aa5fe1e38cca3a806e58eef372ed12588bc174b794b2c9e5c2ee8		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x44FD 156 bytes
381DKNVX6TT814.docm
b6cb69bf1c6188c2d34bdbf701d7e544a6ba5f8b8b4cb9f1d3f66c27a3a9b589		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x46A5 57503 bytes
Detection
ClamAV: Doc.Downloader.Jaff-6329915-0
Obfuscation or payload: unlikely
javascript_obj0018_000.js
c3686dd7badc2e2ec6d17879fe0ae32745a9a4a14e599098188ac40ccf4e93c4		 pdf-javascript-stream PDF /JS object 18 at offset 0xF417 133 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.