Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ac0d18b91eeb03f…

MALICIOUS

PDF

30.0 KB Created: ¨/u ª˜-AðdœÒã4*G€¸O Authoring application: ¼F$HòÍÜ*]¡9ÃDž`AGsÉ ½FéÉ' (via ­v5UùÜÜ?7¬&ێ¿iVF:O‰¦XûÏBÁªÆšiò)
MD5: d217b9eac95aac8578bee010c5a93a59 SHA-1: 24276a83fc3cea0bdbea6242e19ca62b1b58766d SHA-256: 6ac0d18b91eeb03fa4866aab4442f59293f806785f15b89b944eeeae642d68ce
216 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was flagged as malicious by ClamAV and an ML classifier, indicating it contains the EICAR test signature. It contains embedded JavaScript which is likely used to exploit PDF viewer vulnerabilities and download further malicious content. The presence of embedded JavaScript and the EICAR signature strongly suggests a malicious intent, likely for payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9744

Heuristics 7

  • ClamAV: Eicar-Test-Signature critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Eicar-Test-Signature
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.iec.ch

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
eicar.com
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f		 pdf-embedded-file PDF EmbeddedFile object 23 at offset 0x591B 68 bytes
Detection
ClamAV: Eicar-Test-Signature
Obfuscation or payload: unlikely
javascript_obj0012_000.js
96e70381bb9d3e5feaf19d1051707cd6fa9ad3a8ba3d5afb7a4544f8d10fc0bb		 pdf-javascript-stream PDF /JS object 12 at offset 0x1367 1438 bytes
icc_00_off00006153.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x6153 3144 bytes
javascript_obj0041_000.js
b10ecfa459fb4c999c8373786bad8b7a5be102b73fc78e843b8be0423de30a63		 pdf-javascript-stream PDF /JS object 41 at offset 0x62F8 1438 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.