Win.Trojan.Agent-36100 — PDF malware analysis

Static analysis result for SHA-256 75c21583b61b65a1…

MALICIOUS

PDF

27.6 KB
MD5: 3d6854bc37b55d26b0a80f6341161443 SHA-1: 0d2c78dfb216966b87cea0c899d4d140fa68c2d3 SHA-256: 75c21583b61b65a1133eff197e9ba1de1e0376ef2536a65a08fe10e7c83d06e6
166 Risk Score

Malware Insights

Win.Trojan.Agent-36100 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings and the presence of obfuscated JS streams. The ClamAV detection of 'Win.Trojan.Agent-36100' strongly suggests malicious intent. The JavaScript appears to be designed to execute further malicious code, likely downloading a second-stage payload, which is a common technique for trojans.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
b02aa3aed3c9b9abf3a0c0d279300162aad2aa51c877166af1d3b1950c8fef9e		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27477 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
8c2319fa44b179f1147252f090204f2c5f734efa042b26f29bbff70953eb725c		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27727 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
65977d6cb39cd3ce1048c66576a4a3b3883abfeae129a9e6a7283aa1b83e5e0e		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15117 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.