Win.Trojan.Agent-36100 — PDF malware analysis

Static analysis result for SHA-256 7425128efb169e59…

MALICIOUS

PDF

27.7 KB
MD5: 1a4ba3a5bca97203ab8f99c82d17c405 SHA-1: f2f9d620d9642cbd6abec683c8ee962dc5e3d700 SHA-256: 7425128efb169e59851e132e94f5b507363cf32672c729f4d538e8d3eb61788d
166 Risk Score

Malware Insights

Win.Trojan.Agent-36100 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was flagged as malicious by multiple engines, including ClamAV which identified it as Win.Trojan.Agent-36100. The embedded JavaScript, despite obfuscation, appears to be designed to execute arbitrary code, likely downloading a second-stage payload. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
aacbcddfb68f7a82f8afc30b73cfad7b8b1f93d43626eede8d3fe47556d8cc80		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
0c178e8b8adc3b4a26108de40d6cac476b7ad1f46d74718b8721fc69ea79f9ac		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
38024b171fc41e300a10240a97ef7f0cf6969286b22e912676efc645751ce6fe		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.