Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcad55f25fb2034d…

MALICIOUS

PDF

12.5 KB
MD5: be4fb9e39c32441c33e8633affd0f819 SHA-1: 8d0bfbad824d9528b447aacd7515f142c55f7986 SHA-256: bcad55f25fb2034dbe54d8eba146332ebe2f04761108c4d593e8c3fbb73564d5
166 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF contains embedded JavaScript, as indicated by multiple heuristic firings and the presence of an extracted JavaScript file. ClamAV detections further confirm its malicious nature, identifying it as a PDF exploit. The embedded JavaScript is likely responsible for executing the malicious payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36722 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36722
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
c5846661a9843715f5716419aa88d602d906ca37ce745f52a4d76bace4ca2285		 pdf-javascript-stream PDF /JS object 76 at offset 0x369 11646 bytes
Detection
ClamAV: Pdf.Exploit.Pdfka-9
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.