Malicious PDF / .PHP — malware analysis report

Static analysis result for SHA-256 be3b960a5afdbabe…

MALICIOUS

PDF / .PHP

22.4 KB Created: 2009-04-24 09:54:29 +02:00 Authoring application: PScript5.dll Version 5.2.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: 9949a3f4c4495dbf77e9b74b71a55df8 SHA-1: 63b6346024b7782cde078b9375ae34aca7ba6205 SHA-256: be3b960a5afdbabe6e47c9f6674d79bc305b36411db6ad3991e91cfacd429422
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is identified as a malicious PDF by ClamAV (Pdf.Exploit.Agent-19808). Static analysis detected embedded JavaScript, indicating an attempt to exploit vulnerabilities within the PDF reader. The JavaScript is heavily obfuscated, but the presence of 'eval' and string concatenation suggests it is designed to download and execute a second-stage payload. The authoring application information points to a script-based generation method.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-19808 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-19808
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.