MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams and triggers associated with PDF exploits. ClamAV detected this as Pdf.Exploit.Agent-22536. The embedded JavaScript is likely responsible for exploiting a vulnerability within the PDF reader to execute arbitrary code, potentially downloading a second-stage payload. The presence of multiple JavaScript streams and exploit-related heuristics suggests a high likelihood of malicious intent.
Heuristics 6
-
ClamAV: Pdf.Exploit.Agent-22536 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-22536
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Additional-actions dictionary low PDF_AAPDF defines /AA (Additional Actions) that references an executable action (JS/JavaScript/Launch/SubmitForm) — can auto-trigger on document or widget events. Form-field calc/format/validate/keystroke handlers in legitimate interactive forms commonly fire this, so it is reported as a low-weight signal; weaponised auto-execution is flagged by stronger rules (PDF_OPENACTION, encrypted-with-JS, etc.)
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.fjd.de
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0002_000.js227ca46bb27e6d02fc509d522435c3c917f7409b7380571752f9579fd7d8fea5 |
pdf-javascript-stream | PDF /JS object 2 at offset 0x197 | 449 bytes |
javascript_obj0023_003.jsecfb8a7c059da3b0e4baf36e32898357970ff613eef6fd86fc60f03294272f36 |
pdf-javascript-stream | PDF /JS object 23 at offset 0x14939 | 582 bytes |
javascript_obj0027_005.jsbae727cc8b2c02abe1e9402df4e76aff727d2f1b12d32a3ee75b26adb35816e7 |
pdf-javascript-stream | PDF /JS object 27 at offset 0x14FBF | 223 bytes |
javascript_obj0029_006.jsd5f2ee73d42cbb9fafa6bd0d0a04dd995a1c531500f950a833200cd5abee3b05 |
pdf-javascript-stream | PDF /JS object 29 at offset 0x1529D | 160 bytes |
javascript_obj0031_007.jsfbc0682cf667e440b4cf881d3f2d86f72a04ef14c99566e74d4e7afcb3d6fe12 |
pdf-javascript-stream | PDF /JS object 31 at offset 0x1553A | 161 bytes |
javascript_obj0033_008.jsbf7b250e7edb1cc13f1d75def989b154801c060e55f0164441ebdd6fef20f80f |
pdf-javascript-stream | PDF /JS object 33 at offset 0x157D6 | 224 bytes |
javascript_obj0035_009.js0ddc31c3f4756c12c21201c9563d2e979007a2a2ad26644ef9126e5d06265ee5 |
pdf-javascript-stream | PDF /JS object 35 at offset 0x15AB6 | 224 bytes |
javascript_obj0037_010.js2420ef9a9fb15459fd888f43946f59fca87b8ba5377120e5a5b146be24652244 |
pdf-javascript-stream | PDF /JS object 37 at offset 0x15D93 | 160 bytes |
javascript_obj0039_011.jsfe64167ff1e8fdfa3bb1ba9fbba9a3c67d02a635a2731f28b79ed536060f4b31 |
pdf-javascript-stream | PDF /JS object 39 at offset 0x16031 | 160 bytes |
javascript_obj0041_012.js5ca57b83b3a16c90a554406ae9ae468caa8483705d19a3512f4db6b7395caf46 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x162D0 | 161 bytes |
javascript_obj0043_013.jsa74316d3b818b402ff43d5153314ef8c3470c66fe0f07247b3b6037d60be4409 |
pdf-javascript-stream | PDF /JS object 43 at offset 0x1656D | 161 bytes |
javascript_obj0045_014.js2a864a73e2a0c2f2e55aeab469c010241070457cfcf03c3194601f6364629e05 |
pdf-javascript-stream | PDF /JS object 45 at offset 0x1680C | 161 bytes |
javascript_obj0047_015.jsd04cf1e7849f462f5723b85903ad095a5c5ab4e69e3303c97aadd1d6b91fad15 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x16AA8 | 597 bytes |
javascript_obj0047_016.js2ca5f896ddb524115f411b81705017d1a0ad72d3a2b4c8fc2ce2eb602ac69267 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x16AA8 | 264 bytes |
javascript_obj0047_017.js7097080df016f1b41747ea27659445277babb3bd57e084e959e7f0194ae386db |
pdf-javascript-stream | PDF /JS object 47 at offset 0x16AA8 | 294 bytes |
javascript_obj0047_018.js937dcca774f438a6ea1281eecd5a710a6f03f3323313acaa773e1e8670ee67d7 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x16AA8 | 491 bytes |
javascript_obj0047_019.jsfb9d7ddc44b866c21e006f356fc29d6871b9d2c20382f8e84c0b557ce25b4057 |
pdf-javascript-stream | PDF /JS object 47 at offset 0x16AA8 | 158 bytes |
javascript_obj0049_020.jsec0efed1e0463472c326bbd1a3e5de1150ee3a1f7b6c778f21d82b9eb600e978 |
pdf-javascript-stream | PDF /JS object 49 at offset 0x17196 | 161 bytes |
javascript_obj0051_021.js4e405568bdad291d33041c3bf7da9e50cd47caa09411b5f6d3b2596e19c672f9 |
pdf-javascript-stream | PDF /JS object 51 at offset 0x17433 | 161 bytes |
javascript_obj0053_022.js2ccf70b6447c287f505d4dcff5133784fe32c7b7177fcaeea273d3c65a7e16b0 |
pdf-javascript-stream | PDF /JS object 53 at offset 0x176D3 | 225 bytes |
javascript_obj0055_023.js0bef2f855178abf248864f0eaba5bdf7879abf63af4ff1a8c37e94fece47400a |
pdf-javascript-stream | PDF /JS object 55 at offset 0x179B2 | 225 bytes |
javascript_obj0057_024.jse346eeb0dc50e7f07f457107d966808f040bbd9adf427d6aac6f014597ef1246 |
pdf-javascript-stream | PDF /JS object 57 at offset 0x17C94 | 225 bytes |
javascript_obj0059_025.js4b379b62c2b22ba180054b78f4311331a9ff5d9c4f45fdd33df7d5ac3efd656c |
pdf-javascript-stream | PDF /JS object 59 at offset 0x17F73 | 661 bytes |
javascript_obj0059_026.jsd73169519f8def9cc7494139d8045ccda9a3895e1eeb91a61486a816a858ab95 |
pdf-javascript-stream | PDF /JS object 59 at offset 0x17F73 | 555 bytes |
javascript_obj0061_027.jsce47ee648d4b0b45cd46c76b3ec609b3939ebdddd87319e1d8d582db6b8ee5e2 |
pdf-javascript-stream | PDF /JS object 61 at offset 0x186A3 | 225 bytes |
javascript_obj0063_028.js70f3861341e0445eb93bd9287ffad857f20db1562da03ca379df31e9509a4246 |
pdf-javascript-stream | PDF /JS object 63 at offset 0x18982 | 226 bytes |
javascript_obj0065_029.js74ed53719fd8bb5fbe3a4aa82b157ffef6aa57887d6b6fee6d51c031f58c8069 |
pdf-javascript-stream | PDF /JS object 65 at offset 0x18C65 | 226 bytes |
javascript_obj0067_030.jscb6c0e768f7c67cd731236b09730c8c7a9bcf6f28974461433e631d538a28b69 |
pdf-javascript-stream | PDF /JS object 67 at offset 0x18F45 | 226 bytes |
javascript_obj0069_031.js67d5498c94ec52e5066d813cee8e3ec6810290530a15b1c04f2dc89dc21459ce |
pdf-javascript-stream | PDF /JS object 69 at offset 0x19227 | 226 bytes |
javascript_obj0071_032.js1712005681b427d18bc3df8afb8df28876d1f908ab663ceee14245e5e50ef473 |
pdf-javascript-stream | PDF /JS object 71 at offset 0x19506 | 598 bytes |
javascript_obj0071_033.js04d9aa6b75156998251059e987a66ccb77a1b22e0baf737a5271f6b410a79f10 |
pdf-javascript-stream | PDF /JS object 71 at offset 0x19506 | 492 bytes |
javascript_obj0073_034.js9f3cd0396254525968cbb327597b84097d7ca2237e678136fa196cc546e829ee |
pdf-javascript-stream | PDF /JS object 73 at offset 0x19BF5 | 162 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.