PDF malware analysis — malicious · c32ea31b28751fbd

MALICIOUS

PDF

37.4 KB Created: 2010-04-20 21:49:11 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: 372d2e7650c7922c053996ff3b4ea134 SHA-1: c587ca456a4ac6e0390226bec62a9b3ec00df455 SHA-256: c32ea31b28751fbde57d12176d9f147dbe0a94f0ac5d6ba53570fbcd1feb2bbd

114 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically identified as a dropper. Heuristics indicate the presence of JavaScript actions and embedded JS streams, suggesting the PDF is designed to execute malicious code. The ML classifier output of 0.999888 strongly supports its malicious nature. The ClamAV detection name 'Pdf.Dropper.Agent-7217771-0' indicates its function as a dropper.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

ClamAV: Pdf.Dropper.Agent-7217771-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7217771-0
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `032d2f1e9089a364db1810c041cea87acf58ed5217e6101a83cfbcd002b9f6aa`	pdf-javascript-stream	PDF /JS object 10 at offset 0x70CC	8162 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.