PDF malware analysis — malicious · be6afa80591b43da

MALICIOUS

PDF

23.2 KB

MD5: bb56af6644acee791346ab65d3206680 SHA-1: 2a04fbca0a2fadbd7c7f461d8c2b765a2d50655b SHA-256: be6afa80591b43daafc20577ceaf0ebe0c182d04256bae8b12288cbfc571d35f

108 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript, indicated by PDF_JAVASCRIPT and PDF_JS heuristics. ML classification and ClamAV detection strongly suggest malicious intent. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, a common technique for PDF-based malware. No specific family could be identified.

Machine Learning

Nyx PDF Classifier malicious score 0.9981

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7217290-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7217290-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`objstm_0019_00.bin` `729414f6718edf0ec69ca74ac4aadd8cf5d728dc183704dd6bc7f97d97bd8911`	pdf-objstm-decoded	PDF /ObjStm 19 0 obj (inflated)	270 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.