PDF malware analysis — malicious · abd18c2df37de5a0

MALICIOUS

PDF

51.4 KB Created: 2010-07-02 08:58:56 -07:00 Authoring application: Acrobat Editor 9.0 (via Adobe Acrobat 9.0.0)

MD5: 6e053e227af76ae3e48aeddbadd60a2a SHA-1: 9fc825698cf99b89666d748d0aabfd5744ab28d2 SHA-256: abd18c2df37de5a07b2f34d099afb10715ac5ec21e6ca8bb6fefca70a055733a

188 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1566.001 Spearphishing Attachment

This PDF file exhibits multiple indicators of malicious activity, including embedded JavaScript and Flash content. The ClamAV detection 'Win.Trojan.Agent-36159' strongly suggests a trojan payload. The presence of embedded files 'javascript_obj0025_000.js' and 'ooo17035.swf' indicates the document is likely a dropper or exploit container. The PDF is also flagged for containing rich media (Flash), further supporting an exploit-based attack vector.

Heuristics 9

ClamAV: Win.Trojan.Agent-36159 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36159
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`noharm10608.swf` `ca64020a05673ad10cc585d414267b791fcc982d024dd73eaf90b414e8f897bf`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0xC0	10129 bytes
`ooo17035.swf` `c461cefbe1af3e34f046b2b4ff46d8deb2f5eb417285448c19aef7be66566804`	pdf-embedded-file	PDF EmbeddedFile object 2 at offset 0x2926	22945 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.98, consistent with packed or encrypted content.
`javascript_obj0025_000.js` `890943d8014b9cfa653bcbeaa6c3b0af6eb1bfc83bebc138d72d4ce7c2fe9248`	pdf-javascript-stream	PDF /JS object 25 at offset 0x95CB	4898 bytes
Detection ClamAV: Win.Trojan.Agent-36159 Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.