Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c3a719337a8185c…

MALICIOUS

PDF

7.3 KB Created: 2010-09-16 18:52:20 Authoring application: Qabifagevafa (via f0018Tiqotezozav)
MD5: 961278f727049717406a6155c41cbcd5 SHA-1: eb172349af36587d94c5a219af7c1bdb5c9ec350 SHA-256: 5c3a719337a8185c1c446d44976884f71e55b299acb9d2b16d841535862dd83d
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript, flagged by multiple heuristics and a machine learning classifier. The JavaScript code appears to be designed to download and execute a second-stage payload, as indicated by its structure and the presence of obfuscated strings. The ClamAV detection of 'Heuristics.PDF.ObfuscatedNameObject' further supports its malicious nature. The primary IOC is the embedded JavaScript file itself.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
ff85b44f7d06834e69a161aee8e28b7340c56fef50ee1649100cb6f376ea5386		 pdf-javascript-stream PDF /JS object 11 at offset 0x1364 2324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.