PDF malware analysis — malicious · 843c6b27580932a2

MALICIOUS

PDF

36.1 KB

MD5: 372c2ffdfaf4d2903a49681c3db45479 SHA-1: 17c9347b9aded891d498c74e5a5d48d78cdbc1ff SHA-256: 843c6b27580932a2d3141bd984bf33a6dfde783fc3b3ae1e1e69370e370dea50

146 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF was flagged by ClamAV as Pdf.Dropper.Agent-7278368-0 and ML classifiers indicated a high probability of maliciousness. Embedded JavaScript with eval() calls suggests the execution of arbitrary code. The document body is unreadable, but the presence of JavaScript and high heuristic scores strongly indicate a dropper functionality.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7278368-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7278368-0
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0032_000.js` `ea4dfa0ca6b04a8f779f3c9012490073436eb66e9b917c1a330bd8adf2e2b65f`	pdf-javascript-stream	PDF /JS object 32 at offset 0x2CA	2851625 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.