Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c9d2edd6deac726…

MALICIOUS

PDF

184.9 KB Created: 2009-08-03 10:28:24 +08:00
MD5: 9d5518fbe90bb37157c6c116d8fe85e4 SHA-1: 663def66c2b4b0c1a092daae6314d4b44ae9762c SHA-256: 7c9d2edd6deac726b5a2628f7a3726045732be638bdb355bebb2b0f8c7b26484
140 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF was flagged by multiple heuristics as containing malicious content, specifically an embedded Flash (SWF) object. ClamAV detection confirms this, identifying it as 'Swf.Malware.Agent-7104323-0'. The PDF structure suggests it is image-only, likely a lure to entice users to interact with the embedded malicious Flash content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5638

Heuristics 5

  • ClamAV: Swf.Malware.Agent-7104323-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Swf.Malware.Agent-7104323-0
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adobe.com/AS3/2006/builtin
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0032_00.bin
86cf71bb204eddd273984a68ac4dd99b5ab7d9a93334be70dfe736883042a648		 pdf-objstm-decoded PDF /ObjStm 32 0 obj (inflated) 1878 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.