Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a9a189ddbb9a805…

MALICIOUS

PDF

7.4 KB Created: 2010-09-16 18:55:19 Authoring application: Tolhipezorojpagiwaqo (via 12c30Seueganadazaqeav)
MD5: 9c3bcbd73939af9db503a54d6533e7c6 SHA-1: 5695e5bc69f35465294b68724d6f646fd6081df0 SHA-256: 7a9a189ddbb9a805a601c6ff2a9ccab59ef8e0d95b0d5e57c5ade79d8ead14fd
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1027 Obfuscated Files or Information

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for obfuscated objects and an ML classifier indicating maliciousness. Embedded JavaScript streams were identified, suggesting the document's primary function is to execute arbitrary code. The obfuscated nature of the JavaScript, as indicated by the 'ObfuscatedNameObject' rule and the ML score, points towards an attempt to evade detection. The specific JavaScript stream 'javascript_obj0011_000.js' is the primary artifact for further analysis.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 3

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0011_000.js
e2d41866c9fb013feb60cefe8b41892c7277decb0774febb940ce493b1221654		 pdf-javascript-stream PDF /JS object 11 at offset 0x1387 2332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.