Pdf.Dropper.Agent-9238367-0 — PDF malware analysis

Static analysis result for SHA-256 86a12222a402cb7d…

MALICIOUS

PDF

29.2 KB
MD5: 05cd33af9c550eb07987d24ed4aa6735 SHA-1: d00200c97b8d9d330dfd632f8c8ccd51a93c9f4c SHA-256: 86a12222a402cb7d6249b3eb1b35492b7b0adb61821b91455a3aaddbe8ba4484
150 Risk Score

Malware Insights

Pdf.Dropper.Agent-9238367-0 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a VBScript-style decimal byte array that decodes to a PE payload, indicating it functions as a dropper. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded PE artifact is the primary indicator of the payload being delivered.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9902

Heuristics 2

  • VBScript-style decimal byte array decodes to a PE payload critical PDF_VBS_DECIMAL_ARRAY_PE_PAYLOAD
    PDF comment text contains a VB/VBScript-style decimal byte array, such as c(077),c(090), that decodes to a verified Windows PE executable. The rule is gated on a comment-line Array(c(...)) assignment and a valid MZ/PE header to keep false positives low.
  • ClamAV: Pdf.Dropper.Agent-9238367-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9238367-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
decimal_array_pdf_pe_00000229.exe
f40e9b3abcd01868cd06164ccce3f4a6b493ee780cf8a2360732e7a807f12bb9		 embedded-pe PDF raw comment decimal-array PE payload at offset 0x229 4168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.