PDF malware analysis — malicious · 667a36c673e8150a

MALICIOUS

PDF

31.5 KB Created: 2009-04-24 09:54:29 +02:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 7.0.5 (Windows))

MD5: 50529f40071a9f0258cdd4b24ec93fbf SHA-1: 0455329d4a5ee8cfd52ca4f4939c49757903beed SHA-256: 667a36c673e8150afe0cedaffebaf1d6bb04fa82568927eca6341ef334317a7e

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains obfuscated JavaScript, indicated by multiple heuristic firings related to PDF JavaScript actions and embedded JS streams. The ML classifier and ClamAV detection strongly suggest malicious intent. The JavaScript appears to be designed to download and execute a second-stage payload, as evidenced by the use of eval and string concatenation to construct code. The document's metadata suggests it was created using PScript5.dll, a common tool for generating malicious PDFs.

Machine Learning

Nyx PDF Classifier malicious score 0.9972

Heuristics 3

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.