Malicious PDF — malware analysis report

Static analysis result for SHA-256 b26185f40a1edb8e…

MALICIOUS

PDF

108.6 KB
MD5: bae997f186b7301dd04e1ec72c8ba086 SHA-1: daee3765966c828cd6feea4fca679d7675873191 SHA-256: b26185f40a1edb8e1d03c8fd7fa3e735073900d3f84841e51171a170be1802d9
194 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The PDF contains embedded JavaScript and an embedded file named 'testers.doc'. The document body instructs the user to open 'testers.doc' with Adobe Reader to view its content. This strongly suggests a social engineering lure to trick the user into opening the embedded malicious file, which is likely the primary payload delivery mechanism. The ClamAV detection on the embedded artifact further supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • ClamAV: Rtf.Dropper.Agent-7119036-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Rtf.Dropper.Agent-7119036-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
testers.doc
4b519ff13603e0f241ffe5005f5a2e629700384ba67a29b1c888d6e58ebf3cea		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x3B9 54916 bytes
Detection
ClamAV: Rtf.Dropper.Agent-7119036-0
Obfuscation or payload: unlikely
javascript_obj0009_000.js
9de8714b48604c97535529c03d7ef0049206139da3b7d5084e324c602a5c4c41		 pdf-javascript-stream PDF /JS object 9 at offset 0x1B0D9 60 bytes
javascript_obj0009_001.js
aa6a0fe9dfed56166037361bc51d0bd4825f6984b538b6bad3ef16950f8eef9e		 pdf-javascript-stream PDF /JS object 9 at offset 0x1B0D9 58 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.