PDF / .PHP malware analysis — malicious · 6063c7b3df292c0d

MALICIOUS

PDF / .PHP

37.8 KB Created: 2010-04-11 20:50:16 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: 0e16e3250bad2aa25c6be8723ee819a0 SHA-1: e8197cc7e53ca5444f6388d103ab225596c510ab SHA-256: 6063c7b3df292c0d4e5adc0db66f3699fdcdb17403def2c13ae21827491f2dc2

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that is obfuscated but appears to be designed to download and execute a secondary payload. The script uses a string concatenation technique to construct a command that is then evaluated. The ML classifier and ClamAV detection strongly indicate malicious intent, likely involving exploitation of a PDF vulnerability.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Exploit.Agent-22617 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22617
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `f959f717e06aea8cebb327e673a9edb2cbe21f0a5f9136b4102b84cf6c90a07c`	pdf-javascript-stream	PDF /JS object 10 at offset 0x8CF5	1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.