Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e0e9db017cc2c9d…

MALICIOUS

PDF

292.6 KB Created: 2017-03-08 09:02:32 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 34cd6f891fced01c68b6c86bfdf9bf88 SHA-1: fb27c55653bca9212939c1977df41686df98c4f8 SHA-256: 5e0e9db017cc2c9d3e2e68e4eaed5a8f1ff333dbfc8cbf01a423acdc8cc495f8
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Unix.Trojan.PhpBackdoor-9354530-2' and a high severity heuristic for an 'eval() call'. The ML classifier also strongly indicated maliciousness. While the document body is unreadable and no scripts were explicitly extracted, the presence of an embedded URL and the nature of the heuristics suggest this PDF is designed to execute malicious code, likely a backdoor, upon opening.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9921

Heuristics 3

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000b915.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB915 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.