Malicious PDF — malware analysis report

Static analysis result for SHA-256 c16aad33cb7e539d…

MALICIOUS

PDF

982.7 KB First seen: 2021-09-27
MD5: 45d9022fd97ded91e0e01aa9e062678d SHA-1: 6d532d32efed7221e7a76f880a209fd666df79c1 SHA-256: c16aad33cb7e539de57fad7b70ea17a45934009d8cd8dbf6ceaebd484ed10ab1
228 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains embedded JavaScript and a critical heuristic firing for an embedded PE payload, indicating it's designed to deliver malware. ClamAV detections confirm the malicious nature of both the PDF and the extracted executable. The embedded JavaScript likely facilitates the execution of the second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 5

  • ClamAV: Win.Malware.Agentb-9808245-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Malware.Agentb-9808245-0
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_00000346.exe embedded-pe PDF raw stream PE payload at offset 0x346 978854 bytes
SHA-256: 3d15ba46fc8a3c8b4a7169c38cc10e4bc900e4412bb6c1665886b618a2ea4718
Detection
ClamAV: Win.Malware.Agentb-9808245-0
Obfuscation or payload: likely
Carved artifact entropy is 7.86, consistent with packed or encrypted content.