Malicious PDF — malware analysis report

Static analysis result for SHA-256 68ad52eabe7eafe6…

MALICIOUS

PDF

42.8 KB Created: 2009-11-08 15:54:50 +03:00 Authoring application: sureIn (via 289c71a3a46b3f3ef38d65ff4583a19e)
MD5: b90bbf23204c380fd97c59a4e3bf0431 SHA-1: c32ba47e7f379b8d0c25f37f6cddc03496d08793 SHA-256: 68ad52eabe7eafe61fe52633efbca2b356e7318eca603edb663abbb68c1bfc32
214 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript that utilizes an eval() call, indicating an attempt to execute obfuscated code. The JavaScript is designed to download and execute a secondary payload, as suggested by the 'Pdf.Dropper.Agent-7268833-0' ClamAV detection name. The presence of JavaScript exploit cluster heuristics further supports this conclusion.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Dropper.Agent-7268833-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7268833-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
9e401096306dbf614aa6c85ffe42058d2a3d1ca7e5f33fa9060b65ec2f17c37f		 pdf-javascript-stream PDF /JS object 11 at offset 0x16E2 4096 bytes
javascript_obj0012_001.js
4480bd7bb2be343639eaf32e7fc5058ce25a5e41981b6a5c8c4e94354468b324		 pdf-javascript-stream PDF /JS object 12 at offset 0xA56F 41 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.