Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bcf05353f67d403…

MALICIOUS

PDF

692.5 KB Created: 2009-08-21 19:22:22 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: 93b0054ba7907b5484a844df19f8a3f0 SHA-1: fd7fce3fa1270009cd83bcec8e18c674714e5883 SHA-256: 9bcf05353f67d40387428c4e02ebce92707d0157c2e6aa39b68a1a7aaf5aca13
108 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious File

The file was detected as malicious by ClamAV with the signature Pdf.Dropper.Agent-7286309-0. Static analysis revealed embedded JavaScript, indicating an attempt to exploit PDF vulnerabilities. The ML classifier also flagged the PDF with high confidence. The presence of JavaScript suggests the PDF is likely a dropper or exploit document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9593

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7286309-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7286309-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 19

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0380_000.js
36ab918d7f4c14c272a23be327f1afbe98318d8cd24c66e1bdbeab4486db805c		 pdf-javascript-stream PDF /JS object 380 at offset 0xA0375 263 bytes
javascript_obj0381_001.js
a5e1afdcbd769a1a625d06862f5835110a0890f7a51562d802416f35f6efc428		 pdf-javascript-stream PDF /JS object 381 at offset 0xA0486 22745 bytes
icc_00_off0001591b.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1591B 3144 bytes
font_00_sfnt_off000043d1.bin
336a7a084a76c025a84d5a8cbd6080db9a267cde0e24fe672acabed56b19aa8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43D1 48764 bytes
font_01_cff_off0000d561.bin
38f4ddd32e736897982ced0858b49da07a104e846d0946b9789f4ef370f99eb2		 pdf-font-stream PDF embedded font (cff) at offset 0xD561 357 bytes
font_02_cff_off0000da0a.bin
2789af23995f8af33b2dae091e9b962494e0b8b0e898fada623820ee9686b3ca		 pdf-font-stream PDF embedded font (cff) at offset 0xDA0A 499 bytes
font_03_cff_off0000df37.bin
755b31802bfcbe5da85fa3b6417005821fa046390579475e59a1b7e221fd17f2		 pdf-font-stream PDF embedded font (cff) at offset 0xDF37 2550 bytes
font_04_cff_off0000ec85.bin
eb7fc9a0f6b5c973d758c18668889ef5241421e8108bf894a9400ecd0930c40c		 pdf-font-stream PDF embedded font (cff) at offset 0xEC85 3369 bytes
font_05_cff_off0000fc2e.bin
ce12ce1ce9ee146def1a9a0aa879316c8283c74b0dab40de60412666b768231d		 pdf-font-stream PDF embedded font (cff) at offset 0xFC2E 2951 bytes
font_06_cff_off00010a63.bin
650743b0083f4117eafe6d934f210cd07b94d118b25ed99f041916d1b6f42ac7		 pdf-font-stream PDF embedded font (cff) at offset 0x10A63 5979 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
font_07_cff_off000122e3.bin
91487fd16b17d83908b1ba219ae597731b7158e968667787a056b1d4df0de59a		 pdf-font-stream PDF embedded font (cff) at offset 0x122E3 1949 bytes
font_08_cff_off00012ef6.bin
cf4944c56c01f4a65c36b5010c12128ca3ddbe0e6806e8b147a7b04453bfa751		 pdf-font-stream PDF embedded font (cff) at offset 0x12EF6 6612 bytes
font_09_cff_off00014b17.bin
c5675bd2f2b586cbf48ee24f95e1cf91eec1b4928c28c92220efce9ec4db3e29		 pdf-font-stream PDF embedded font (cff) at offset 0x14B17 3996 bytes
font_10_sfnt_off0001819c.bin
2722878b19761e7a433e1ca6f32e7f9fe9cccce4136877b3beb9040f23bd4b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1819C 23432 bytes
font_11_sfnt_off0001b773.bin
80383e85181b7288bd3f68d71356b7e2ef2e1f0ba00d93e81908469c104a18d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B773 52108 bytes
font_13_cff_off0009864d.bin
b7acc2e77938f52ea0e0e99ad276600cacf4c9a68f9966b0cff658984fc5fdfe		 pdf-font-stream PDF embedded font (cff) at offset 0x9864D 1390 bytes
font_17_cff_off0009d4b1.bin
498107d4b463cdfaabb7ecb0de303a1fd3753cd0475826d8151726b62a86cbb1		 pdf-font-stream PDF embedded font (cff) at offset 0x9D4B1 2026 bytes
font_18_cff_off0009dfd8.bin
6b20e84459271e0cdfae9863860320d5b0fe24a40f52c5aa56fd600bf142e820		 pdf-font-stream PDF embedded font (cff) at offset 0x9DFD8 1370 bytes
font_22_cff_off000a5384.bin
fbf22266dae0292a560fe4992b55ae8d9a60e5393b8105c8e8d7d4434902074f		 pdf-font-stream PDF embedded font (cff) at offset 0xA5384 1230 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.