Malicious PDF — malware analysis report

Static analysis result for SHA-256 94777d47bb8af211…

MALICIOUS

PDF

1.03 MB
MD5: 3670a3f864bb4dcde9d399cc4e814798 SHA-1: 1ee780ab3b87fad953bebb4b0d068774e115e87d SHA-256: 94777d47bb8af2112eebdab13fd87addb61283cb3b2cd58d93855112780891fc
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.002 Spearphishing Attachment

The PDF was flagged by ClamAV as Pdf.Dropper.Agent-1506682 and a machine learning classifier with high confidence. Heuristics indicate the presence of JavaScript, which is used to encrypt the PDF content, hiding the payload from static analysis. This suggests the PDF acts as a dropper, likely downloading and executing a second-stage malicious file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-1506682 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1506682
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
3efb5d1a5598d3ee7ae500b220714fb83e9eeb69e35549f069e78ee1d8f9410e		 pdf-javascript-stream PDF /JS object 29 at offset 0x3556 4562 bytes
font_00_cff_off0000521b.bin
cf4a9aaa37300558115c3e99be8e93710443c3c5320de5ebb95742f045fc87e3		 pdf-font-stream PDF embedded font (cff) at offset 0x521B 1138 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.