Malicious PDF — malware analysis report

Static analysis result for SHA-256 880c8c8101bf5970…

MALICIOUS

PDF

18.6 KB
MD5: 3cfee590e447fb5736ef66d44111fef9 SHA-1: 7fc87ae74fbce9df8532e4c781851b0a348aa78e SHA-256: 880c8c8101bf5970da3408df6a5e80a8efec839df90c717866a672ba65ccb98b
214 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The PDF file contains an embedded executable payload identified by ClamAV as 'Win.Trojan.Fakeav-20712', and also listed as 'Trojan-Ransom.Win32.Agent.fd'. The presence of JavaScript actions and embedded files, particularly a PE payload, strongly indicates a malicious intent to deliver and execute malware. The embedded JavaScript stream, though not fully detailed, likely contributes to the execution of the payload.

Heuristics 8

  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Win.Trojan.Fakeav-20712 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Fakeav-20712
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Additional-actions dictionary low PDF_AA
    PDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
Trojan-Ransom.Win32.Agent.fd
85d711c674858a9d38d2e0a23bf83fc291ae5d25b4d4173c12ec435e1c4fcf73		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x477 20992 bytes
Detection
ClamAV: Win.Trojan.Fakeav-20712
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.
javascript_obj0009_000.js
8b41a3786d0366d296afb07fdc2f1e8ebcaed9358b48a86500ad0e802638eb62		 pdf-javascript-stream PDF /JS object 9 at offset 0x482A 188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.