Malicious PDF — malware analysis report

Static analysis result for SHA-256 adc993a138a511c1…

MALICIOUS

PDF

284.8 KB Created: 2017-03-08 09:02:43 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 31f6dbc5cf7ab7911aa7d2b152184417 SHA-1: 6e799f9df5b10b3c34a7956a45e3601c3a1cbe06 SHA-256: adc993a138a511c196f0eb465f648b907b2a6bd40e576e73d79e250c3280f380
130 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and a critical ClamAV detection for Unix.Trojan.PhpBackdoor-9354530-2. Additionally, a high severity heuristic firing indicates the presence of an eval() call, commonly used for code execution within PDFs. These indicators strongly suggest the PDF is designed to exploit a vulnerability and deliver a backdoor payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9910

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000b887.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB887 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.