Pdf.Dropper.Agent-7125225-0 PDF malware analysis — malicious · bd11c4ab02a751b8

MALICIOUS

PDF

37.2 KB Created: 2009-09-15 20:20:11 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)

MD5: 765c19120d3cb0563aaf74fe84010190 SHA-1: debe5f9e84264061d2d92b46cb0223fbeb454222 SHA-256: bd11c4ab02a751b8ce8d70824ead016e8a36071cc0be3b1c54da1644dc846430

78 Risk Score

Malware Insights

Pdf.Dropper.Agent-7125225-0 · confidence 85%

MITRE ATT&CK

T1059.001 PowerShell

The critical ClamAV heuristic identifies the file as 'Pdf.Dropper.Agent-7125225-0', indicating a known malicious PDF dropper. The presence of multiple embedded JavaScript streams, flagged by 'PDF_JAVASCRIPT' and 'PDF_JS' heuristics, strongly suggests that the PDF is designed to execute malicious code. This JavaScript is likely responsible for downloading and executing a secondary payload, a common technique for droppers. The 'PDF_IMAGE_ONLY_LURE' heuristic indicates the PDF may be visually deceptive, containing images but no meaningful text, further supporting a malicious intent.

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7125225-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7125225-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0017_000.js` `c3479feb0b855223c178b7bb3043988b862d66be5cea72de36502c9861a49af7`	pdf-javascript-stream	PDF /JS object 17 at offset 0x4AE8	24216 bytes
`javascript_obj0018_001.js` `df45644d49a88434be5053c0dfc8e7086e0bf711e90d58f7056604781935e886`	pdf-javascript-stream	PDF /JS object 18 at offset 0x8C6D	159 bytes
`javascript_obj0019_002.js` `45e802e0707538ce805eeb2488549acdc76be4d40d82cade8afb52812d95c239`	pdf-javascript-stream	PDF /JS object 19 at offset 0x8D38	333 bytes
`javascript_obj0020_003.js` `cd0beb25fa5859fb42f5f1be5fd93ff8837e554ba784680fb47f29b6b9a215ae`	pdf-javascript-stream	PDF /JS object 20 at offset 0x8E6E	205 bytes
`javascript_obj0021_004.js` `583f5774c600053420b22d022eb4e8d6d34e05c7944f1fb594cda8188848606a`	pdf-javascript-stream	PDF /JS object 21 at offset 0x8F41	193 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.