PDF malware analysis — malicious · 81d6829c92904b73

MALICIOUS

PDF

292.6 KB Created: 2017-03-07 14:20:47 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: af7a807707b3d27659287ac2a1e88674 SHA-1: b6371e985939535a89d01f863d6b86879bd57b12 SHA-256: 81d6829c92904b73e66b99500bb859dd7626f37f3e6a1f576d816203fa862570

132 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Unix.Trojan.PhpBackdoor-9354530-2', indicating it is a known backdoor. The presence of an 'eval()' call and ML classifier output further support its malicious nature. While the document body is heavily obfuscated and unreadable, the heuristics and detection name strongly suggest the file is designed to execute arbitrary code, likely to download and run a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9921

Heuristics 3

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000b915.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB915	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.