Win.Trojan.Agent-36100 — PDF malware analysis

Static analysis result for SHA-256 8166118a690b5d76…

MALICIOUS

PDF

27.7 KB
MD5: 4e419233fbc800034e0ff470285793ba SHA-1: f100cf984290fd7b838c234c335ad7d873f6cfd0 SHA-256: 8166118a690b5d7619993194a0994ab184cd602ebc03adb7cfa7918909c5a051
166 Risk Score

Malware Insights

Win.Trojan.Agent-36100 · confidence 95%

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings and the presence of script files. The JavaScript appears to be obfuscated but is designed to execute malicious code, likely downloading a second-stage payload. ClamAV detection as 'Win.Trojan.Agent-36100' strongly suggests a trojan downloader or agent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36100
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
b4026010dd4dbf492e5b2d589613f759bf6ae08affa1b0e90404ee495fe33b09		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 27621 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
javascript_obj0008_001.js
cc33cb814b66cad46bf24dfa6c6139d6f8e94076fa996e501c4a2c3891dc58c9		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 27871 bytes
Detection
ClamAV: Win.Trojan.Agent-36100
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
39a5ef190bcabfd5c7108c5d41fdbc1813295980909e840a6a1942b63e4b5e58		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.