PDF malware analysis — malicious · 8f0d87ef3332dc26

MALICIOUS

PDF

3.8 KB

MD5: 6714506f5b1a16ce5a7f0b61d9bc8454 SHA-1: 8293d3ebf52068960d00aa790962579283d4edf0 SHA-256: 8f0d87ef3332dc266803ffda3f6c036181eba0a29579f0ba7ef1ab686b1d398e

112 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious JavaScript

The critical ClamAV detection 'Pdf.Exploit.Agent-36178' strongly indicates malicious intent. Several low-severity PDF heuristics, including the presence of JavaScript actions and embedded JS streams, along with the use of ASCIIHexDecode and ASCII85Decode filters, suggest an attempt to obfuscate and execute malicious code within the PDF. The document body content is unreadable, providing no further clues.

Heuristics 6

ClamAV: Pdf.Exploit.Agent-36178 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36178
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
String.fromCharCode low PDF_FROMCHARCODE

String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85

ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Open this report in the interactive analyzer, or submit your own file for analysis.