PDF malware analysis — malicious · 74e64f5e6588e46d

MALICIOUS

PDF

32.0 KB

MD5: 682d0608a86858a0b1b0ec5de5d2e689 SHA-1: 1d95f8baa212ef0b9e73aedce014f424a1ddf502 SHA-256: 74e64f5e6588e46d1b59e640fbf51d6ba81527c31ca93f8bcf91fdc4207de9c6

436 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains obfuscated JavaScript and an embedded Flash object that exploits CVE-2010-1297. The JavaScript uses an unescape function to decode a payload, which is then likely executed by the Flash exploit. This indicates a multi-stage attack aiming to achieve code execution on the victim's system.

Machine Learning

Nyx PDF Classifier malicious score 0.9956

Heuristics 11

Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
Hex-obfuscated scripting name object critical PDF_OBFUSCATED_NAME_OBJECT

A PDF name object that drives script execution (/JavaScript or /JS) is written with #XX hex escapes to hide it from string-based scanners — e.g. /J#61v#61S#63r#69p#74 decoding to /JavaScript. Legitimate PDF producers always write these names literally; hex-encoding an executable name is a deliberate evasion used by exploit-kit and dropper PDFs.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`pAEhNslcwv.swf` `c2b666a3ef4c191b77b78c037656e50477b8ba3d35fd61ae843a3a1f4d41c5c1`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0x1600	26774 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`javascript_obj0006_000.js` `ccca2cd5aff16ce8e5ca5232240725f2690545823183282e2d969689d5927296`	pdf-javascript-stream	PDF /JS object 6 at offset 0x13E	3814 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.