Malicious PDF — malware analysis report

Static analysis result for SHA-256 5599d40508172790…

MALICIOUS

PDF

32.4 KB Created: 2010-01-17 10:46:55 +03:00 Authoring application: overMore (via ba00c3e6292cc2a52a34e7b373a4a9eb)
MD5: db2301a6503679c12998c70d33ce101b SHA-1: a3af787480b94f6fa6c645463c8b645c30b0c10b SHA-256: 5599d4050817279023d9d01a5110540875fe85d50798616f33e232f4397ca91e
164 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by ML classifiers and ClamAV as malicious (Pdf.Dropper.Agent-7013081-0). Static analysis revealed embedded JavaScript with eval() calls and ASCII85Decode filters, indicating obfuscated code execution. The presence of JavaScript actions and embedded JS streams strongly suggests the script is designed to download and execute a secondary payload, a common technique for PDF-based malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 7

  • ClamAV: Pdf.Dropper.Agent-7013081-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7013081-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0014_000.js
c6bc70932c0ffe193a404d5631467e6db1eb226f653562d3fcc78b9a8c4220fe		 pdf-javascript-stream PDF /JS object 14 at offset 0x191E 37163 bytes
javascript_obj0016_001.js
12ac428aa4b040fbcdf2181c6af597336dd261610260a4839b51bcd3f86df4a7		 pdf-javascript-stream PDF /JS object 16 at offset 0x764D 1756 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.