PDF malware analysis — malicious · 96c255e8617ba580

MALICIOUS

PDF

27.9 KB

MD5: d5f89bc319db2bc0b1cd0221e65a6ea2 SHA-1: 92752e92da13e50355aa238d9b42fc7b5c4c510f SHA-256: 96c255e8617ba580178ab1fdf2992debb55811d888d19fab2538bebd854f464d

136 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file contains embedded JavaScript, identified by PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV detections indicate the presence of 'Win.Trojan.Agent-36100', suggesting a malicious payload. The obfuscated JavaScript likely serves to download and execute this payload, although the exact mechanism is obscured.

Heuristics 4

ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36100
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js` `1733f02238ca8b5cdfae62164f8d73bbbb9afe153036d63ce305a05770299031`	pdf-javascript-stream	PDF /JS object 8 at offset 0x1E7	27765 bytes
Detection ClamAV: Win.Trojan.Agent-36100 Obfuscation or payload: unlikely
`legacy_pdfkit_stage_000.js` `716e870317bb1313fbf0dcf2767c664aa4057991859becdf0d9d1f73666353bb`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0x1E7	15261 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.