Pdf.Dropper.Agent-1828761 PDF malware analysis — malicious · 64e7b0357828f596

MALICIOUS

PDF

34.7 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)

MD5: 8861140ea2dd49ee3fdd78129322f68c SHA-1: 16e899c95271aa20165324064749767dfea69ec3 SHA-256: 64e7b0357828f596c9b5f6c233f87a67fd9aa3fd2cc00eb766e183cbe4a1a902

206 Risk Score

Malware Insights

Pdf.Dropper.Agent-1828761 · confidence 95%

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF sample contains embedded JavaScript that utilizes an eval() call to deobfuscate and execute code. The script appears to be designed to download and execute a second-stage payload, as indicated by the PDF_JS_EXPLOIT_CLUSTER and ML_NYX_PDF_MALICIOUS heuristics. The ClamAV detection further confirms its malicious nature as a dropper.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Dropper.Agent-1828761 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-1828761
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.