Malicious PDF — malware analysis report

Static analysis result for SHA-256 592ca034b2be54a9…

MALICIOUS

PDF

45.0 KB
MD5: 8d91b8cc76e7de955c21a143f9e793eb SHA-1: e14bd4e0ef3042e930c840c3194c45e047b47f49 SHA-256: 592ca034b2be54a9745a47a5cad13158ee61b0357841320f4a3eab8f132ef166
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates the file is detected as Pdf.Exploit.Agent-36128. Low-severity heuristics confirm the presence of embedded JavaScript within the PDF structure. The embedded JavaScript, although large, is likely responsible for executing the exploit, leading to the malicious classification. The document body content is not indicative of a specific lure.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
8926518904bc593c9a50e2263a630c4f9e997f4da1889b47f58fc47e4d97f920		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
5f75cce3f25453e545eef895cdbf86c1498b7460c28d997a150c3aa1fec96983		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.