PDF malware analysis — malicious · a8de3be3dcd7f02c

MALICIOUS

PDF

27.7 KB

MD5: cb430dedf0645984c53a066ef34fe646 SHA-1: 13179a4c99271e6a59baf08b5e4e88f57178811c SHA-256: a8de3be3dcd7f02ce946d1e5c5221859eb02df78d97844bcd805e88d03b98025

136 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1059.003 Windows Command and Shell

The PDF file contains embedded JavaScript, identified by multiple heuristics. The ClamAV detection 'Win.Trojan.Agent-36100' strongly suggests malicious intent. The obfuscated JavaScript likely serves as a downloader for a secondary malicious payload, a common technique for initial access and further infection.

Heuristics 4

ClamAV: Win.Trojan.Agent-36100 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36100
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js` `b2ed20a1b0cf904b9b9e2ccfd81f191250f390cd0d6588087fe741c91ecd96b8`	pdf-javascript-stream	PDF /JS object 8 at offset 0x1E7	27621 bytes
Detection ClamAV: Win.Trojan.Agent-36100 Obfuscation or payload: unlikely
`legacy_pdfkit_stage_000.js` `70ca7311124af5fa6755f2ee342fc793d6b0761d127c0fc4ff1008b924e43312`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0x1E7	15189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.