PDF malware analysis — malicious · 9a8b7fadb49f9a29

MALICIOUS

PDF

45.0 KB

MD5: adb1f5f396655ffa7a1a76175fce4110 SHA-1: bb5f9b675d20324cb61752e3ed05398bc4c2105d SHA-256: 9a8b7fadb49f9a295f0ffb5407134ef55aaaf8b20c1f3c6533c7a345614a20a4

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged by ClamAV as Pdf.Exploit.Agent-36128 and a machine learning classifier indicated a high probability of maliciousness. Embedded JavaScript streams were detected, suggesting the file is designed to exploit a vulnerability and execute arbitrary code. The primary function appears to be the delivery of a malicious payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js` `94ec7668d82ab8df27b805c9ca20a71557bf1bba359c839121816719897ba072`	pdf-javascript-stream	PDF /JS object 8 at offset 0x1E7	45305 bytes
`legacy_pdfkit_stage_000.js` `31c4c164cca6a6a6d25a6bd6c91cf31910698f99a614755345fda8246725932d`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0x1E7	33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.