Malicious PDF — malware analysis report

Static analysis result for SHA-256 5611d86c7c8dc065…

MALICIOUS

PDF

60.7 KB First seen: 2022-02-23
MD5: 0533a234ac2761d9833170ecbc600414 SHA-1: 55ba926bf728f9b8b89c841f4f60f95869ec60ea SHA-256: 5611d86c7c8dc065aa831d18491247e34456e6e846c08526e9c51942b556a653
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF contains embedded JavaScript and an embedded file, both flagged as malicious by ClamAV. The ML classifier also strongly indicates maliciousness. The embedded file, 'embedded_file_obj0022.bin', is detected by ClamAV as 'Xls.Downloader.94c25b356b5a6cac-9978798-0', suggesting it's a downloader. The PDF's structure and embedded content point to a delivery mechanism for a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9674

Heuristics 7

  • ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Xls.Downloader.94c25b356b5a6cac-9978798-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0022.bin
2f70b7de0474708798801fdf3bd50bfe54890a60260d631cede70a71ceef55cf		 pdf-embedded-file PDF EmbeddedFile object 22 at offset 0x3B0F 50360 bytes
Detection
ClamAV: Xls.Downloader.94c25b356b5a6cac-9978798-0
Obfuscation or payload: likely
Carved artifact entropy is 7.83, consistent with packed or encrypted content.
stream_006_off0000ef6a.bin
dfe5c276daae5daf2892ed1b82c66a48d7872a94222875623b6d3c1d960b0488		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEF6A 929 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.