Malicious PDF — malware analysis report

Static analysis result for SHA-256 739cf0b5fe7d7148…

MALICIOUS

PDF

326.2 KB Created: 2015-06-05 02:55:18 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 175066e9c56b7d7263473b0af9b31c3f SHA-1: 0ca6a0b9dde858ce01ee090988eb288e8934aa56 SHA-256: 739cf0b5fe7d7148732a18687be713abff6a4414fdaa93f125b7a7f6cda71687
132 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript and triggered a critical ClamAV detection for Unix.Trojan.PhpBackdoor-9354530-2. Additionally, a high-severity heuristic firing for eval() call suggests code execution within the PDF. The benign URL is likely a distraction or unrelated artifact.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9895

Heuristics 3

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000c18f.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC18F 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.