Malicious PDF — malware analysis report

Static analysis result for SHA-256 b84cd4b7b57260d3…

MALICIOUS

PDF

74.1 KB Created: 2009-09-09 11:18:27 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: b183474507acbf321a87586479a9570a SHA-1: 58f9d24b6a70b1ae793447e96595bfd04257af05 SHA-256: b84cd4b7b57260d32bbfc2e713629027e77d76c3f609800cd37b7c77cd5ebb4b
116 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file was flagged by a machine learning classifier and ClamAV as malicious (Pdf.Dropper.Agent-1828935). Heuristics indicate the presence of embedded JavaScript and ASCII85Decode filters, commonly used to obfuscate malicious code within PDFs. The embedded JavaScript streams likely contain code to download and execute a second-stage payload, contributing to the overall malicious nature of the document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9378

Heuristics 5

  • ClamAV: Pdf.Dropper.Agent-1828935 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1828935
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0025_000.js
1ace5433f6715616a04d84294ca8a40ae745404f6537dd443a9d50c546fd642d		 pdf-javascript-stream PDF /JS object 25 at offset 0xE843 23973 bytes
javascript_obj0026_001.js
9588b8834372aefb07dec93ed495e2e3ff66986cbf8ffb7034c2e6622a4c29d7		 pdf-javascript-stream PDF /JS object 26 at offset 0x11FB4 198 bytes
javascript_obj0027_002.js
1775917a8a4481b493e9832748ad11440a07d9bacc62f4ab7f6f57ea6a8c1330		 pdf-javascript-stream PDF /JS object 27 at offset 0x120AF 214 bytes
javascript_obj0028_003.js
a8b0493f52f7d48a0876e9ac31ea2336b86a6891381fdcdb2daf7dea77df5add		 pdf-javascript-stream PDF /JS object 28 at offset 0x12191 128 bytes
javascript_obj0029_004.js
ac1a9c016e8963e829319ca6bcb3c9a8f3047c713cf1d4f955e1220e65447f77		 pdf-javascript-stream PDF /JS object 29 at offset 0x1223D 181 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.