Pdf.Dropper.Agent-7685817-0 PDF malware analysis — malicious · b335ef5b6a4da527

MALICIOUS

PDF

37.6 KB Created: 2010-04-16 01:17:54 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: 8b33d7042062a299ec4f1be11032781b SHA-1: e68b4af6a42080dcc3296e135a39547f9fe83fe3 SHA-256: b335ef5b6a4da527ca9c91e03fb229107b2334b4f7b17422fb4e945aa8506374

84 Risk Score

Malware Insights

Pdf.Dropper.Agent-7685817-0 · confidence 95%

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic firing indicates this PDF is recognized as Pdf.Dropper.Agent-7685817-0. Low-severity heuristics confirm the presence of embedded JavaScript and an optional content group with an action trigger, suggesting the JavaScript is intended to be executed upon opening. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for PDF-based malware.

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7685817-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7685817-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `9126234fec5c352e809934aa57971d9b0b45f2130a448ec2c83bc65ab7dd98c5`	pdf-javascript-stream	PDF /JS object 10 at offset 0x8C2B	1344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.