Malicious PDF — malware analysis report

Static analysis result for SHA-256 743cdf3c9a2a1196…

MALICIOUS

PDF

58.0 KB Created: 2009-11-15 19:41:70 Authoring application: PDF Library 4.3.9 (via PDF Library 3.9.7)
MD5: 0f45088af1bd1aab9674eb55a08b7de7 SHA-1: b9255ffce2b7ee1115063fc320e7f4f35440f831 SHA-256: 743cdf3c9a2a119693b468e6706e1f74aca75179a5d8cbde7a22c36d6dcec996
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings and the presence of a large JS stream. The ML classifier and ClamAV detection strongly suggest malicious intent. The JavaScript, though heavily obfuscated, is the primary mechanism for executing malicious code, likely to download and execute a second-stage payload. This points to a common attack pattern involving malicious documents delivered via phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7272974-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7272974-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
ed6f63e97727755de4ec98a4efa4c92bfab90f44b4b180a93420db0f2e30c48b		 pdf-javascript-stream PDF /JS object 7 at offset 0x1A5 116905 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.