Malicious PDF / .TMP — malware analysis report

Static analysis result for SHA-256 7c5d193eea4170c7…

MALICIOUS

PDF / .TMP

3.3 KB
MD5: 67c9405110f8012bda2938e46cdc51a6 SHA-1: 4135cd9e23c31622cc47bfbc0d2dfb0f9b3bbc95 SHA-256: 7c5d193eea4170c7f4290271fa5185769f0f8c49ae60dee4c31cb0671e27bc34
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating the presence of JavaScript actions and embedded JS streams within the PDF. The extracted JavaScript code appears to be obfuscated but is designed to execute a payload, likely leveraging an exploit within the PDF viewer. The reconstructed string from the JavaScript, 'AfejR' + 'v' + '8' + 'M' + 'l' + 's' + 'y' + '7' + 'U' + 'a', is not directly actionable as a URL or command, but the overall behavior points to a PDF exploit delivering a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36121 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36121
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
88b7fb60a53c98542619777dcd5d3b0526f52f375251f9485a24340dff707e53		 pdf-javascript-stream PDF /JS object 7 at offset 0xA96 364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.