Pdf.Dropper.Agent-7285915-0 — PDF malware analysis

Static analysis result for SHA-256 9aa7b4356658472f…

MALICIOUS

PDF

5.9 KB
MD5: bb441f830bee01efeda76245d9d04dc0 SHA-1: e46c59c44f89ecb61547926179f46978afa98344 SHA-256: 9aa7b4356658472faa547e94308baa438a0b2fa09eb1282b71f6470c3ce1ba73
116 Risk Score

Malware Insights

Pdf.Dropper.Agent-7285915-0 · confidence 95%

MITRE ATT&CK
T1059.001 JavaScript T1566.002 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including ML classifiers and ClamAV, indicating malicious intent. The presence of embedded JavaScript and an embedded file strongly suggests a dropper functionality. The JavaScript stream is likely responsible for downloading and executing the embedded file, which is the secondary payload. The ML classifier output of 0.999949 further reinforces the high confidence in this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-7285915-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7285915-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0012.bin
c69bc26a600ea6ccf56a3b42a42106c691b0dbc2c785d2db1a0daa8af3827c8c		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x428 150300 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 145 long base64-like blob(s).
javascript_obj0007_000.js
1bc4bf38a788adcc495fb84f1f085cb4c62f9f214ddac09c9e3dd447973e35e6		 pdf-javascript-stream PDF /JS object 7 at offset 0x1CC 254 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.