Malicious PDF — malware analysis report

Static analysis result for SHA-256 9aba1e9b454bcffb…

MALICIOUS

PDF

74.1 KB Created: 2009-09-09 11:18:27 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 5cd2b97590afb82016aa56677cf0f42e SHA-1: c44bd9be3617be93d1b12e3fd0ec37e70419007e SHA-256: 9aba1e9b454bcffba259aa9f38989cbe92db1fd840298d88ae291c19691a9e7c
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, specifically as Pdf.Exploit.Agent-30092. The presence of embedded JavaScript streams and the use of ASCII85Decode filters indicate an attempt to obfuscate and execute malicious code. The primary function appears to be exploiting a PDF vulnerability to run JavaScript, which is commonly used to download and execute further stages of malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9378

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-30092 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-30092
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
af5ad937881a332c431302971b150616aace46a4f2bab322f65557146d4e4f2c		 pdf-javascript-stream PDF /JS object 25 at offset 0xE843 24061 bytes
javascript_obj0026_001.js
185e7d70003d547acd5ef0487fd37cc39f111eba54fed8aa9bc2b268ecda9c4a		 pdf-javascript-stream PDF /JS object 26 at offset 0x11F8A 251 bytes
javascript_obj0027_002.js
3bcd9c0bcda5fe81b8deef4c2fa6ced929080505a3fdd2efc3ec866bae554833		 pdf-javascript-stream PDF /JS object 27 at offset 0x1208D 209 bytes
javascript_obj0028_003.js
0827f41f33a23b24e16b3a826b8b1c092658c73fe6faee0b85f41649970ec2fa		 pdf-javascript-stream PDF /JS object 28 at offset 0x12170 166 bytes
javascript_obj0029_004.js
9a64d20a2f47e8f11a4ba2f60d52db909fdb7fd05b796b6128a0a3c0089ddfac		 pdf-javascript-stream PDF /JS object 29 at offset 0x12236 196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.