PDF malware analysis — malicious · b25aeb9f68c2a777

MALICIOUS

PDF

146.0 KB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)

MD5: 83347d9a1731db45cdc8af558f68be07 SHA-1: 9f91c285dbeffda52e4586b038341ab0d895db88 SHA-256: b25aeb9f68c2a777a53d86ae8b53bb2f6843c7bf3fc7fb70f628946a8010d0a5

116 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/Shell Script Execution: JavaScript Execution T1204.002 Malicious File: User Execution: Malicious File

The PDF sample contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. A critical PDF_EVAL heuristic firing suggests the use of eval(), which is commonly used to deobfuscate and execute malicious JavaScript. The reconstructed JavaScript string `unescape(unescape(escape(this.info.title)))` is indicative of obfuscated code execution. This pattern suggests the PDF is designed to exploit a vulnerability to run arbitrary code, likely downloading a second-stage payload.

Heuristics 4

ClamAV: Pdf.Exploit.Agent-35931 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35931
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.