PDF malware analysis — malicious · 8ce6eb6803b60c72

MALICIOUS

PDF

37.5 KB Created: 2009-09-15 20:20:11 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)

MD5: 46df661dc5e9a792d2ff4e3512e04bc5 SHA-1: 78f0c7f21a952455e95f987c9ced3742de77a513 SHA-256: 8ce6eb6803b60c72ba79ac6ba734886fa09fe19ffbeb73309af53bb68706e56b

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by ML classifiers and ClamAV as malicious, specifically as a dropper. Embedded JavaScript streams were detected, indicating the likely execution of malicious code. The ClamAV detection name 'Pdf.Dropper.Agent-7007340-0' suggests it's designed to download and execute a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9972

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7007340-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7007340-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `55eedaf8d86d252addd5bcd55a3573440182c5bcb1b5dbb0aaef8f4ab60f6920`	pdf-javascript-stream	PDF /JS object 17 at offset 0x4AE8	24179 bytes
`javascript_obj0018_001.js` `0181d85a25dac5ce0127c5a90216d55123ef128b8f90d5a22ae504a44e93e8b8`	pdf-javascript-stream	PDF /JS object 18 at offset 0x8DB5	190 bytes
`javascript_obj0019_002.js` `96145fc13a28490ecad97fdbaac9aed06d73dffb160ebf9c081ada8e1a04bdcd`	pdf-javascript-stream	PDF /JS object 19 at offset 0x8E88	303 bytes
`javascript_obj0020_003.js` `ac6b5544561de200956e11a997284fdd5dfea0689c446f354f1d064d5a529228`	pdf-javascript-stream	PDF /JS object 20 at offset 0x8FB8	145 bytes
`javascript_obj0021_004.js` `ba116999ae1aa9136696d0c9e82910d86f13f90b15864f99a17f6e6aee5b4a08`	pdf-javascript-stream	PDF /JS object 21 at offset 0x9080	167 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.