PDF malware analysis — malicious · 96ffcc3a24d5df2d

MALICIOUS

PDF

12.6 KB Created: 2010-03-17 13:16:23 Authoring application: Qihenekoqewimqifce

MD5: e011c2891d2b061196f98fcfe2e4a4d6 SHA-1: 3169cbe497704459d09e1d5b5637c85a2dbea486 SHA-256: 96ffcc3a24d5df2da286f56963f860f0ee2a90fc7695a7c9be7296c90adc7b91

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Dropper.Agent-7284688-0', and a high ML score indicating maliciousness. The presence of embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics, suggests the document is designed to execute code. While the JavaScript content itself was not detailed, its presence in a malicious PDF strongly implies it's used to download and execute a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Pdf.Dropper.Agent-7284688-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7284688-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0020_000.js` `dfce10c25364df020b9e0e890640f0cc577a5cdd82ece8152cd56081a1f00c64`	pdf-javascript-stream	PDF /JS object 20 at offset 0x28C6	83028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.