Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc3187e15c6b9587…

MALICIOUS

PDF

33.6 KB
MD5: 279ce734dde78e36938c922784a60d2d SHA-1: 42f042330d9a9f5b3b8a234778c369052e3da652 SHA-256: cc3187e15c6b95875230ec977f74c9e66355dc142d21cdd20fac3f0423de61b6
218 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

This PDF file was flagged as malicious by multiple engines, including ClamAV which identified it as 'Heuristics.PDF.ObfuscatedNameObject'. The presence of embedded JavaScript and a RichMedia (Flash) object, specifically 'OnYhBQHwspXiw.swf', strongly suggests an exploit attempt. The embedded Flash file was also detected as malware by ClamAV ('Swf.Exploit.Kit-513'), indicating it likely serves as a secondary payload delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9870

Heuristics 7

  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
OnYhBQHwspXiw.swf
82959a74bd2f365dbaff0af8a126e8d6efed63f658723f179f7020ea3628ed8b		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x17E4 27931 bytes
Detection
ClamAV: Swf.Exploit.Kit-513
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
javascript_obj0006_000.js
1512fd564e720d30f8d1e677f166608d75d3507fb82456f52396fce102087c08		 pdf-javascript-stream PDF /JS object 6 at offset 0x13A 4258 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.