Malicious PDF — malware analysis report

Static analysis result for SHA-256 807d8704ffec82fb…

MALICIOUS

PDF

326.2 KB Created: 2015-06-05 03:49:56 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 6ee1c6172edc27acbb861fc8093748ac SHA-1: 699acb55187de5517d704ec063a8ff076b5886de SHA-256: 807d8704ffec82fbb4d311d850ef079edbb493fec0e2a85c37416cb6b93d4718
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a critical ClamAV detection for Unix.Trojan.PhpBackdoor-9354530-2, indicating it is a known backdoor. A high severity heuristic firing for PDF_EVAL suggests the presence of JavaScript code attempting to execute arbitrary commands, likely to download and execute the backdoor payload. The document body is heavily obfuscated and does not provide clear user-facing lures.

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000c18f.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC18F 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.