Malicious PDF — malware analysis report

Static analysis result for SHA-256 a24768ce5763072d…

MALICIOUS

PDF

23.2 KB
MD5: 52f034ad41f5a515a4cf6875173f6ac9 SHA-1: 9cb964fb4a9603bb98e74ac60b528582202d8d8e SHA-256: a24768ce5763072d95f0da661b78538d7a088fb94b205f4f2405cf379a9f8478
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ML classifier and ClamAV detection strongly suggest malicious intent, likely exploiting a vulnerability to run this script. The script's exact function is not discernible due to obfuscation, but it is the primary vector for the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-35646 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35646
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0019_00.bin
729414f6718edf0ec69ca74ac4aadd8cf5d728dc183704dd6bc7f97d97bd8911		 pdf-objstm-decoded PDF /ObjStm 19 0 obj (inflated) 270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.