PDF malware analysis — malicious · 9d581c859caaf95d

MALICIOUS

PDF

147.2 KB

MD5: 0d28169ecba1b0c1318596c40102216f SHA-1: 10ed08dc57a408be45765449b51abaf4b2bfc1c4 SHA-256: 9d581c859caaf95d312ee7ce86e6e37d746ef282e6d04ea502c85c7e7c5a167f

176 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF sample contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically identifying it as Pdf.Exploit.Agent-36189. The embedded JavaScript is likely responsible for exploiting a vulnerability within the PDF reader to download and execute a second-stage payload. The presence of obfuscation indicators in the extracted artifacts further supports this. The URLs found within the document are considered suspicious and may be related to the attack infrastructure.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 8

ClamAV: Pdf.Exploit.Agent-36189 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36189
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.bitstream.com
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0013_000.js` `defb01cdcb2f62a7f9edc7657f55f650cdb3be949d58200cc69ceb5570b0e50b`	pdf-javascript-stream	PDF /JS object 13 at offset 0x10531	27637 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`javascript_obj0013_001.js` `89b3ce538d85bcdbe59c7d00f75027938a2de4aab5b04664f017e10ea1007641`	pdf-javascript-stream	PDF /JS object 13 at offset 0x1056D	27645 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 2 eval/decoder/string-building token(s).
`font_00_sfnt_off00000352.bin` `a8f4d9b7d604c3c8a0bf3f9a31b9e952d467f98d118fdc784d95d689a14d8a33`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x352	65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.