PDF malware analysis — malicious · b6a6a779c7b54961

MALICIOUS

PDF

17.9 KB Created: 2009-08-23 19:47:07 Authoring application: error 4 (via PDF Library 4.5.1.5)

MD5: f9a16c7b2277af034a195ebf589131b1 SHA-1: 07bf5b51b8ecc137ae6a43a3fc9ca5b3ca60f6d5 SHA-256: b6a6a779c7b549618c2b3288e96e37809235c55761000cf6c3eb1a6429769003

106 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/Shell

The PDF was flagged by multiple heuristics and a machine learning classifier as malicious. The presence of embedded JavaScript streams indicates that the PDF is designed to execute code. The ClamAV detection 'Pdf.Dropper.Agent-5342604-0' suggests it acts as a dropper for other malicious content. No specific URLs or hashes were extracted, but the embedded JavaScript is the primary mechanism for the attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 3

ClamAV: Pdf.Dropper.Agent-5342604-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-5342604-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0014_000.js` `3f09c33c2a2e65a3312e98158f7426bb0d90164d4f7d6f7c990fb8ce72c447ea`	pdf-javascript-stream	PDF /JS object 14 at offset 0x398	1166333 bytes
`javascript_obj0014_001.js` `8539ece9b85c9ebf8caaa2f1c5a7d512bdbf29743e9292974cfe0f060ba99a60`	pdf-javascript-stream	PDF /JS object 14 at offset 0x3D0	524288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.