Malicious PDF / .PHP — malware analysis report

Static analysis result for SHA-256 a824b3acd25712dd…

MALICIOUS

PDF / .PHP

37.0 KB Created: 2010-04-11 20:49:06 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))
MD5: b75fddafd8ae0abe9ef4ce1da68c3a9b SHA-1: 58d8de242b38f6dc67c41b9a4bcf976822a808b5 SHA-256: a824b3acd25712dd754ebc03cbd22c3f970cd3f027429371f9e09023a19fd5f8
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Pdf.Exploit.Agent-22611. Static analysis revealed embedded JavaScript, which is often used to exploit vulnerabilities in PDF readers. The presence of JavaScript actions and an embedded JS stream strongly suggests that the file attempts to execute malicious code upon opening. The document body is heavily corrupted and unreadable, providing no further context on the specific lure.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-22611 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22611
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
d7e18dccec24bfc75e0a6aa44ae443313e476014ecb2dc311ce192a8f1d78e98		 pdf-javascript-stream PDF /JS object 10 at offset 0x8989 1344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.