PDF malware analysis — malicious · 858c90edf745157a

MALICIOUS

PDF

1.72 MB Created: 2016-01-19 00:43:14 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: 341e7c7d9a114f42f391f76868ac8432 SHA-1: b7c03f33eeda8da45f0b1aa84eb882e21249eda9 SHA-256: 858c90edf745157ab7bf93323514c4c6a8be13742d5b964e9ec1274b7b2aac98

132 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Unix.Trojan.PhpBackdoor-9354530-2'. An eval() call was also detected within the PDF content, suggesting the execution of arbitrary code. While no specific document body text was readable, the presence of these indicators strongly points towards an exploit attempting to download and execute a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.6475

Heuristics 3

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_010_off0000cf7e.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCF7E	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.