Malicious PDF — malware analysis report

Static analysis result for SHA-256 83ad7e9c10cd5c0f…

MALICIOUS

PDF

48.0 KB Authoring application: substr
MD5: b7e4df4995ca0718be865b34b9c91aa7 SHA-1: 91b936809be61e9f7d5fa3aa4d5a8522e05f6639 SHA-256: 83ad7e9c10cd5c0f6e1e615e04dba3727b28ba7407e881744c5400638260e5de
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF document contains embedded JavaScript which is obfuscated but appears to construct and execute a payload. The script reconstructs the string 'eval(s2)' and then calls it, indicating it's designed to download and run a second-stage payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Malware.Agent-7658978-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-7658978-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
9c5e5337f2a223ea3fd855badacac69233cbd465d2590c04026630c37de9859c		 pdf-javascript-stream PDF /JS object 1 at offset 0xBD35 474 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.