Malicious PDF — malware analysis report

Static analysis result for SHA-256 a97040efe72d3ee3…

MALICIOUS

PDF

29.4 KB Created: 2010-02-13 12:49:17 +03:00 Authoring application: [\?_#\^~] (via c273a867d4f81ad1055432bd598e114e)
MD5: d0e8aef7aeea785cf26eb0c5cc2935ee SHA-1: bc15b199579c297c5ef079010c9d6b4bf189b16a SHA-256: a97040efe72d3ee316c5237ec5bb6bbb4f9458749f171d322b927b8fd063ce5c
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged as malicious by a machine learning classifier and ClamAV, specifically as Pdf.Exploit.Agent-13876. It contains embedded JavaScript streams, indicating an attempt to leverage PDF vulnerabilities for code execution. The presence of JavaScript actions and filters like ASCIIHexDecode and ASCII85Decode further supports the exploitation of PDF parsing mechanisms. The primary attack vector appears to be the execution of malicious JavaScript embedded within the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-13876 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-13876
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0018_000.js
4b3891efcce5162f5b6e2ea977f0c09d59d48dddb86660baf897aec983ab87e3		 pdf-javascript-stream PDF /JS object 18 at offset 0x24C6 34723 bytes
javascript_obj0020_001.js
15d652968c59c4630ac4052a9472c2b95c270dc8c326b5509b3cb4d20dbb201c		 pdf-javascript-stream PDF /JS object 20 at offset 0x6F26 119 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.