PDF / .TXT malware analysis — malicious · 8e6fbe06d348fc29

MALICIOUS

PDF / .TXT

37.3 KB Created: 2010-04-12 01:38:22 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: fbc01f0a1db8799ae9d42b51987d149e SHA-1: f549a1a74d9ec33024e2b77e440d467e98c0752a SHA-256: 8e6fbe06d348fc2951158d69df26b1e38dc23df57c34a24d39768cd2bd294955

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF document identified as malicious by ClamAV (Pdf.Exploit.Agent-22431) and a machine learning classifier. It contains embedded JavaScript, indicated by multiple heuristic firings. This JavaScript is likely responsible for exploiting a PDF vulnerability to download and execute a secondary payload, as suggested by the 'ML_NYX_PDF_MALICIOUS' and 'CLAMAV_DETECTION' heuristics. No specific malware family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Exploit.Agent-22431 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22431
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `cd58dd30fcecf85a6d8e211f69b2253e3c95a72990b8b4710eb7bcd6ba9463a0`	pdf-javascript-stream	PDF /JS object 10 at offset 0x8AFE	1344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.