Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d2a69a71d242c88…

MALICIOUS

PDF

134.9 KB Created: 2009-08-11 12:43:52 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 12b263eefbcd330fd854249714b5026c SHA-1: 44dc4f4da31544ff45b71f8256561e425929b85b SHA-256: 7d2a69a71d242c882347a91015e39a85a01f0a80015bc9cb03dff5da40b7ed0e
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF was flagged as malicious by ML classifiers and ClamAV, specifically identified as 'Pdf.Dropper.Agent-7149630-0'. Static analysis revealed embedded JavaScript streams, indicating the PDF's primary function is to execute malicious code. The presence of JavaScript actions and embedded JS streams strongly suggests the PDF is designed to download and execute a secondary payload, a common dropper behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9722

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7149630-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7149630-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0062_000.js
b2a2f87bf34f5b0620dc1db2c3f23324e9f045294e0c83b90a9ebaf00c5f0381		 pdf-javascript-stream PDF /JS object 62 at offset 0x12770 117724 bytes
javascript_obj0063_001.js
962e74582299278abf6dbc4c52f2b65362292883d0bffa44a47c44111452b2fe		 pdf-javascript-stream PDF /JS object 63 at offset 0x1E129 34212 bytes
javascript_obj0064_002.js
38154045ba10217ae4885dde01ddb28e0b997aea2c07bb29e90f8eb926fb845e		 pdf-javascript-stream PDF /JS object 64 at offset 0x211E2 84 bytes
javascript_obj0065_003.js
323420714e617e8efd54284409bf23e7689b4487c9d0105c81d9944d3fa0855c		 pdf-javascript-stream PDF /JS object 65 at offset 0x2126F 64 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.