Pdf.Dropper.Agent-7272656-0 — PDF malware analysis

Static analysis result for SHA-256 73881426ea887285…

MALICIOUS

PDF

26.6 KB Created: 2006-02-01 14:14:12 Authoring application: Wegoptyr (via HghTc6Fs)
MD5: 37f3e8d656b0d1695f5e6f72aef4a9c2 SHA-1: 8e56fceb9f502fe75e8e136c5bc3c9d1d0d47fe8 SHA-256: 73881426ea88728519d4a22225c1c2044b127314244ead23363f7c066c8a47bc
208 Risk Score

Malware Insights

Pdf.Dropper.Agent-7272656-0 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF file contains embedded JavaScript that utilizes eval() and string concatenation to obfuscate its functionality. This script is designed to exploit a known PDF vulnerability, as indicated by the 'PDF_JS_EXPLOIT_CLUSTER' heuristic. The primary purpose of the script appears to be downloading and executing a second-stage payload, consistent with dropper malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Dropper.Agent-7272656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7272656-0
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
ee2c370ec61a1089a568ca39e20c57d29a492bc617866837e73e9eb31e071835		 pdf-javascript-stream PDF /JS object 7 at offset 0x1EE 26136 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0007_001.js
f6ae2210410d2402582e1a06e60cdef599d51700791903a067c74a4f9ff47ba6		 pdf-javascript-stream PDF /JS object 7 at offset 0x1EE 411 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.