Malicious PDF — malware analysis report

Static analysis result for SHA-256 978821fdaf15a0fe…

MALICIOUS

PDF

91.1 KB Created: 2010-08-03 22:58:52 +07:00 Authoring application: EditPad Lite - C:\Documents and Settings\think-again\Desktop\New Text Document.txt (via doPDF Ver 7.1 Build 330 (Windows XP Professional Edition (Service Pack 3) - Version: 5.1.2600 (Platform: x86)))
MD5: df304d336a12b06370d2d4ba4303f3c0 SHA-1: 03a69a3321209298ee9a79961eff39ff1f800114 SHA-256: 978821fdaf15a0fe6566fa017742292430a89754ea12ab4f54a59ed217e31f9c
198 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple heuristics as malicious, including an embedded script payload and a high ML classifier score. ClamAV detected the file as 'Doc.Dropper.Agent-1828513', indicating it functions as a dropper. The embedded script is likely responsible for downloading and executing a second-stage payload, a common technique for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7361

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-1828513 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-1828513
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
info.doc
250ff87ba85b2cb7bd04c9e4442eb08f70d5c1d555347c16addaa0d05bda8cb0		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x7497 234241 bytes
Detection
ClamAV: Doc.Dropper.Agent-1828513
Obfuscation or payload: unlikely
font_00_sfnt_off00000b95.bin
2c48037b5e1f1e5a0d5017a210128240d62e57af2b8c5d32a4506534715b3fbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB95 52482 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.