Pdf.Dropper.Agent-7001939-0 — PDF malware analysis

Static analysis result for SHA-256 851d1e02b134b222…

MALICIOUS

PDF

6.3 KB Created: 2017-06-08 16:14:34 +02:00
MD5: 13486b57cc3ad49227174f86fd4df606 SHA-1: 6e42b5372e017f45e6afbeee02bd55dd856c3f21 SHA-256: 851d1e02b134b222d0e4012c2bbb61828f1219c66ec5ed9ca291c406cb83461f
84 Risk Score

Malware Insights

Pdf.Dropper.Agent-7001939-0 · confidence 95%

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The file is identified as a malicious PDF by ClamAV, specifically 'Pdf.Dropper.Agent-7001939-0'. Static analysis revealed an embedded JavaScript stream which is highly indicative of a dropper functionality. This script is likely responsible for downloading and executing a secondary payload, a common technique for malware distribution.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7001939-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7001939-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off000003a1.js
977d78c88d259a1174dec0def9ff32742a9809da22c76cc791d5c78e80795e15		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3A1 1614 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.