Malicious PDF — malware analysis report

Static analysis result for SHA-256 88d19c14322b55e5…

MALICIOUS

PDF

77.3 KB Created: 2009-08-26 23:02:49 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: aacb1b9bce6087c3a2f9977ee66a801e SHA-1: 195ada0ab86a454d0e64ce1a2fcfe88b24133ff6 SHA-256: 88d19c14322b55e51ba1e471cd01dd700c68dbe358c7ed43c38171623ce2212c
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV and an ML classifier, with heuristics indicating embedded JavaScript. The JavaScript streams are heavily obfuscated, but one stream contains a large, deobfuscated string that appears to be a URL or command. This suggests the PDF is designed to exploit a vulnerability and download a second-stage payload. The obfuscated nature of the script and the lack of clear indicators for a specific family lead to a moderate confidence score.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8846

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7279878-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7279878-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0087_000.js
33b92cf2683398ca8ace5cd175448241efb81f9fff8f71e72912521f55a8f074		 pdf-javascript-stream PDF /JS object 87 at offset 0xF22C 23718 bytes
javascript_obj0088_001.js
6c6068a645bda294b65078203a22bb32f1c89a950493e73fe21414566d73c3b4		 pdf-javascript-stream PDF /JS object 88 at offset 0x1289B 237 bytes
javascript_obj0089_002.js
8d8ecaef7b70e78345f5aba439d7018649d551c4ba5bbb9d912a873714e9bff4		 pdf-javascript-stream PDF /JS object 89 at offset 0x12995 173 bytes
javascript_obj0090_003.js
8ee4cf3933f36984f6588169056fe836236907e87b259b5c532e8ba8ee1f8582		 pdf-javascript-stream PDF /JS object 90 at offset 0x12A71 221 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.