PDF malware analysis — malicious · a4c6498b57fce683

MALICIOUS

PDF

37.1 KB Created: 2010-04-12 17:50:12 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: e0a971dd8a1113516fe0d4088b103941 SHA-1: 5beac99429b1dd219d2731041ab636a24690f81c SHA-256: a4c6498b57fce683a7340c2f33e2e0553acc1c8f53fb0f74fccc323fdefbb769

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF document identified as malicious by ClamAV (Pdf.Exploit.Agent-22532) and a machine learning classifier. Heuristics indicate the presence of embedded JavaScript and an optional content group with an action trigger, suggesting an exploit attempt. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, which is a common technique for delivering malware.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Exploit.Agent-22532 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22532
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `77517be549088f395bac299b6efe13acddfd02c8f273d9673b2b1635a712c928`	pdf-javascript-stream	PDF /JS object 10 at offset 0x89DD	1344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.