MALICIOUS
114
Risk Score
Malware Insights
MITRE ATT&CK
T1059.007 JavaScript
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The sample is a PDF file flagged by ClamAV as Pdf.Exploit.Agent-22718 and by an ML classifier as malicious. It contains embedded JavaScript that is obfuscated but appears to reconstruct a string and execute it via `app.setTimeOut`. This JavaScript likely downloads and executes a second-stage payload, a common technique for exploiting PDF vulnerabilities. The specific exploit used is not detailed, but the presence of JavaScript and the ML/ClamAV detections strongly indicate malicious intent.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 4
-
ClamAV: Pdf.Exploit.Agent-22718 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-22718
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0010_000.js5df9d333488e8816fadd73fb0b29c172d463fb153e5eeae581d9544e3ebc4173 |
pdf-javascript-stream | PDF /JS object 10 at offset 0x8CE8 | 1346 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.