PDF malware analysis — malicious · 8085f20b039582aa

MALICIOUS

PDF

23.2 KB

MD5: 8d6a3722e459099d166681217bead206 SHA-1: d9d7641226ab21808c45dab136c2e7a3dec1e7a0 SHA-256: 8085f20b039582aaf7fe0bb08a4d890339a47e7eaa3ae57cb2e1bbbd62590361

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is a PDF identified as malicious by ML classifiers and ClamAV, with specific heuristics indicating embedded JavaScript. This JavaScript is likely used to exploit a client execution vulnerability and download a secondary payload, a common technique for initial access via spearphishing attachments. No specific URLs or executable content were directly extracted for IOCs.

Machine Learning

Nyx PDF Classifier malicious score 0.9981

Heuristics 4

ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objstm_0019_00.bin` `729414f6718edf0ec69ca74ac4aadd8cf5d728dc183704dd6bc7f97d97bd8911`	pdf-objstm-decoded	PDF /ObjStm 19 0 obj (inflated)	270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.