Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f76406b3960c567…

MALICIOUS

PDF

54.7 KB Created: 2009-09-02 02:27:58 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 5ac400ab89ca96c2f7702030d3e5349a SHA-1: 4a96f63fa5bf86017764a3799d08ef7b8065e44d SHA-256: 7f76406b3960c5678c5e6d24984ab1876948374611befb3edd931f7497fde062
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV and an ML classifier, with heuristics indicating embedded JavaScript actions. The JavaScript streams, particularly the large one, are heavily obfuscated but appear to be designed to execute code. This suggests the PDF is a dropper, leveraging JavaScript to exploit a vulnerability and download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9200

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7276900-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7276900-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0058_000.js
f59ce7e3115f4b5311257d83c1d542c03103e22e01ef9b8a3cf19381446c4cba		 pdf-javascript-stream PDF /JS object 58 at offset 0x9977 23633 bytes
javascript_obj0059_001.js
f71cff2d7ea2f26e55a0a855760c280bd290ec5bbb7fee96e34c7de5175b8992		 pdf-javascript-stream PDF /JS object 59 at offset 0xCF85 234 bytes
javascript_obj0060_002.js
523e36b70fb3c4e0492998608ed2db8db71e40d77ede9b7bd2589a37b85e6d89		 pdf-javascript-stream PDF /JS object 60 at offset 0xD086 177 bytes
javascript_obj0061_003.js
c52c7dfab9ee74c2cffe7b7c993b44bdae10ecf4c4c7fd6b48a47c6ab625fbe4		 pdf-javascript-stream PDF /JS object 61 at offset 0xD15F 161 bytes
javascript_obj0062_004.js
59f818b63db7e719469c6eee39d1d540d6ca3cb69aec13d4e58664403d9a4736		 pdf-javascript-stream PDF /JS object 62 at offset 0xD22E 174 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.