PDF malware analysis — malicious · 88244fc9d8ff4630

MALICIOUS

PDF

MD5: 00b4c640838a647815c74a2d65333828 SHA-1: 5d358b4618ae8cf527b438e7bb79726d9cfda0a6 SHA-256: 88244fc9d8ff4630e96a5beaf913f5353f46380ce1f7ff579a5850840d2d0fd9

258 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains embedded JavaScript that appears to be involved in launching an embedded document named 'P2GU6A9VM.doc'. This document was also detected by ClamAV as a downloader. The PDF itself is flagged as malicious by ML classifiers and ClamAV, indicating a high likelihood of malicious intent. The embedded JavaScript functions like 'wgetNow8' and the reference to launching a file suggest the PDF is a lure to execute a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9973

Heuristics 9

ClamAV: Pdf.Malware.Agent-6325035-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Malware.Agent-6325035-0
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main
- http://schemas.openxmlformats.org/officeDocument/2006/bibliography
- http://schemas.openxmlformats.org/officeDocument/2006/customXml

Extracted artifacts 15

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`P2GU6A9VM.zip` `903009fce8532924f1b563553078268fb6658e76b1b0ab6df9ca5d1463757beb`	pdf-embedded-file	PDF EmbeddedFile object 4 at offset 0x943	116 bytes
`0.docm` `f4632ca7e63bdb96ee9d6fb0c4bcb558b69612fff5c8771ff8489d18fb1dfe1d`	pdf-embedded-file	PDF EmbeddedFile object 8 at offset 0xA99	11370 bytes
`1.xlsx` `95d44ba9b1684bda97fd78f150794190549cc6712a039efd73b775a8049daec2`	pdf-embedded-file	PDF EmbeddedFile object 12 at offset 0x2DB6	7723 bytes
`P2GU6A9VM_1.txt` `0236c3bd975363f3dfc954c1d0733ad6413f2047327e901891676d2405d19e20`	pdf-embedded-file	PDF EmbeddedFile object 14 at offset 0x43D4	268 bytes
`P2GU6A9VM.doc` `cfe966f16dc7926bc7ab508be95d765dc93e1c83432fa970110b0846fd77a6cb`	pdf-embedded-file	PDF EmbeddedFile object 18 at offset 0x45A2	104960 bytes
Detection ClamAV: Doc.Downloader.Jaff-6329915-0 Obfuscation or payload: likely Carved macro source contains an auto-exec entry point and execution/download terms.
`javascript_obj0020_000.js` `daacf7708513854d8d74f0e7d4490f96cd7a670da759f06486c178bf01a02a81`	pdf-javascript-stream	PDF /JS object 20 at offset 0xEF88	59 bytes
`javascript_obj0023_001.js` `e7ca93bdf607d018edc02353faa68301deb49efbb70c59b6a2c9edbab6951931`	pdf-javascript-stream	PDF /JS object 23 at offset 0xF25A	63 bytes
`javascript_obj0024_002.js` `5e86646d44339bf6b3b82d81abb4bba1343f13eb69793bd53251c933f8870d46`	pdf-javascript-stream	PDF /JS object 24 at offset 0xF2C4	54 bytes
`javascript_obj0025_003.js` `1ba58e2a3e2bc49dc97eaa3df086aec14fb04f095a5e09ddd0a0dec40003e9a6`	pdf-javascript-stream	PDF /JS object 25 at offset 0xF329	41 bytes
`javascript_obj0027_005.js` `84ec0f9799cfd6d2eedee8a92dddcb8e5ecc6f8601f0a96c8209a756f410c772`	pdf-javascript-stream	PDF /JS object 27 at offset 0xF3B6	35 bytes
`javascript_obj0028_006.js` `ff22fe1dce659447d0db8248c2020ff7718dc499e5e0678ccd09d4c3774dc771`	pdf-javascript-stream	PDF /JS object 28 at offset 0xF401	46 bytes
`javascript_obj0033_007.js` `3c06d2ee278e1031e818b73cbf620836ef812924433573e9f3bd266cf6fc2464`	pdf-javascript-stream	PDF /JS object 33 at offset 0xFC4E	33 bytes
`javascript_obj0021_009.js` `51b3e214f38729500ff39139b08d521aaf2bb069e2a66ae2cf6b8e5a437707c7`	pdf-javascript-stream	PDF /JS object 21 at offset 0xEFEE	1441 bytes
`javascript_obj0029_010.js` `9fd25580d0d2d09fb6c5678ba340547226c48ae6845785ba0e87496fd5cb17df`	pdf-javascript-stream	PDF /JS object 29 at offset 0xF459	648 bytes
`javascript_obj0031_011.js` `239b8eaa8243fda1336bc5936b98d6cbcf1ebd0d2f69004cc0bc52091ae6ecdb`	pdf-javascript-stream	PDF /JS object 31 at offset 0xF5CE	5530 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.