Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bde5c357a72f1e7…

MALICIOUS

PDF

45.0 KB
MD5: b9823a5f7c855cce6ad15d447e6dedb6 SHA-1: e531e11dcbc8c719029fc5e4d6a82647ec0f5887 SHA-256: 9bde5c357a72f1e7c1051e10f358da9187c1291b8ed6f8c0e71c178d4b48bc7f
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Pdf.Exploit.Agent-36128. Static analysis detected embedded JavaScript actions and streams within the PDF structure. The presence of these elements suggests the PDF is designed to exploit vulnerabilities and execute malicious code, likely downloading and running a secondary payload.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
8a24fa98e46c0508e689d3a7d25b32510b0748cc50729f12ab76a3432f954d12		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
7cf7a88687156850c0f5ad3095053d039ade9973ef4aec3c81c4df68720c6517		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.