Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1543cd42d03a93b…

MALICIOUS

PDF

9.6 KB Created: 2011-03-02 05:55:48 Authoring application: FPDF 1.6
MD5: 2c4ec446f9046b693b6c0f27057663b9 SHA-1: 8d179cfd0f7d4e264739e6f6dab0fa3012e95634 SHA-256: b1543cd42d03a93b143737d91540b08efffe027219136a59463f80e83222e743
130 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious PDF

The critical ClamAV detection and high ML classifier score strongly indicate malicious intent. The presence of XFA forms and JBIG2 decoding filters are common in exploit-laden PDFs. The ML classifier output of 0.997562 further supports the malicious classification. The embedded artifacts suggest the PDF contains exploit code designed to compromise the viewer.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9976

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-36859 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36859
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00001615.bin
5744e03c91a65e0191f1fd043f4d9e2ce96e8e489a65aa242bb39806be5c1de3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1615 746 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
jbig2_00_off0000189d.bin
f3e563864ee34901cf41a08c7090a8df0f0a84ff1f296e0a1e11ab6df3ad405e		 pdf-jbig2-stream PDF JBIG2 stream (Flate-decoded) at offset 0x189D 3125 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.