Malicious PDF — malware analysis report

Static analysis result for SHA-256 c53ae5250ada31eb…

MALICIOUS

PDF

45.0 KB
MD5: a84eb48f560d70f19b438d6464f722e1 SHA-1: 28eedb17a0ff1fc82a7269d20219fd1e95c16949 SHA-256: c53ae5250ada31eb2061ae36f46c8576267e71c943d1f5804d00ad617ae1ab29
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates the file is recognized as Pdf.Exploit.Agent-36128. Additionally, heuristics confirm the presence of embedded JavaScript within the PDF structure. This suggests the file is designed to exploit a PDF vulnerability to execute malicious JavaScript, likely to download and execute a second-stage payload.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
055bfe16babf4ae85dd63cb52fa25a38bbcaea204ac4272913a3c458604e8d5d		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
611e0e434cdcef00c9d187c9468c41f8b73e22556c8802283c26d1ead054f342		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.