Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e4e3915f7c20153…

MALICIOUS

PDF

12.0 KB
MD5: 9501ea89c714977eae4119f27006d329 SHA-1: 21a9c1a90d665fdbafab72b2f9e08f61224f38b0 SHA-256: 9e4e3915f7c201531ebade564510810ae9b92ab79a29b61234d17ed5368d8836
136 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The file is a PDF document identified by ClamAV as Pdf.Exploit.Agent-36722 and containing embedded JavaScript. The presence of JavaScript actions and streams strongly suggests an attempt to exploit a PDF vulnerability to execute malicious code. This code likely acts as a downloader for further stages, as indicated by the ClamAV detection of Pdf.Exploit.Pdfka-9 on an extracted artifact.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36722 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36722
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
541de497d5a19afce42d774d48130d33b3be866fa9ebea771e00d8094454c529		 pdf-javascript-stream PDF /JS object 76 at offset 0x369 11216 bytes
Detection
ClamAV: Pdf.Exploit.Pdfka-9
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.