Malicious PDF — malware analysis report

Static analysis result for SHA-256 92f383a6877e9153…

MALICIOUS

PDF

338.1 KB Created: 2015-08-07 00:21:34 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 854ac3e52004e7aeb4b9a8a57a45c460 SHA-1: 90545ba7f6112ce13c903b5629235d1170c8764c SHA-256: 92f383a6877e9153982ea148beb50be876d2f394002237d8de5dcb1cee1ff8c7
100 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The ClamAV heuristic identified this file as Unix.Trojan.PhpBackdoor-9354530-2, indicating a PHP backdoor. The PDF_EVAL heuristic suggests the presence of executable code within the PDF, likely to facilitate the backdoor's execution or obfuscation. The document body is heavily obfuscated and unreadable, providing no further context on the lure or intended victim.

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000c24a.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xC24A 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.