Win.Trojan.Agent-36100 — PDF malware analysis

Static analysis result for SHA-256 6130bb0a668445ed…

MALICIOUS

PDF

27.7 KB
MD5: 983192090f17c5e0558a7a1cc5042a9c SHA-1: 790ba0d5cb969d99ea851c80f5610217303f2b18 SHA-256: 6130bb0a668445ed90e0951d42f677275ff16163ea9c953dd908cda5a060acf3
166 Risk Score

Malware Insights

Win.Trojan.Agent-36100 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains multiple embedded JavaScript streams, flagged by heuristics as malicious. The ML classifier and ClamAV detection strongly indicate malicious intent, identifying it as Win.Trojan.Agent-36100. The JavaScript appears to be heavily obfuscated but is designed to execute code, likely downloading and executing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
a640352993f221fff2f179a05d0d782e7b0a431c628c4ad9eee94f264bf87756		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
612a7597cadfbe0a65e4df19ffdf9edf3bbc6243f76a1dfcfc4617df143b9e8d		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
bcb6afcc77aa495efc7333f04d550387a07141386c1ebafc0d50decaa36e35b8		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.