Malicious PDF — malware analysis report

Static analysis result for SHA-256 8848295e94768f37…

MALICIOUS

PDF

37.8 KB Created: 2010-04-14 17:13:00 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))
MD5: b6a1f2425a9055f99b933962836e9d8d SHA-1: 52fbedca451a161a3d4a7843b963c88b8372b990 SHA-256: 8848295e94768f3739e0b28c3e77fef770fd99f455e925f89d289e242e707bbf
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ClamAV detection of 'Pdf.Exploit.Agent-22120' strongly suggests exploitation of a known PDF vulnerability. The embedded JavaScript is likely responsible for executing the malicious payload, though its specific actions are not detailed in the provided evidence. The document body content is nonsensical and does not provide any contextual clues.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-22120 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22120
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
8d27446cc8f85773ea12f8600f7aa8c19a0be3f1b60b7618c3072fd726b59128		 pdf-javascript-stream PDF /JS object 10 at offset 0x8CD4 1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.