Malicious PDF — malware analysis report

Static analysis result for SHA-256 d025e326485cef53…

MALICIOUS

PDF

52.2 KB Created: 2017-08-11 11:04:56 +03:00 Authoring application: iTextSharp’ 5.5.10 ©2000-2016 iText Group NV (AGPL-version)
MD5: 0e23f0b9c2edae15497bf13f11c1c195 SHA-1: 330734f70b5a5ca14e03c0429c1011707662513a SHA-256: d025e326485cef53831c0c1443d412af9cd713abfd425f753740356a39ef3ce3
176 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by ML classifiers and ClamAV as malicious. It contains embedded JavaScript and an embedded file, which ClamAV identified as a macro-laden document. This suggests the PDF is a dropper designed to execute a secondary malicious payload, likely the embedded document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-7306485-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7306485-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
20170811810.docm
8e9d0eeeb0924ce6a46b31ffae3b88ee075aa851c71854aa30bd3212931099d1		 pdf-embedded-file PDF EmbeddedFile object 2 at offset 0x929 52317 bytes
Detection
ClamAV: Doc.Macro.Necurs-6412436-0
Obfuscation or payload: unlikely
javascript_obj0004_001.js
1c71762a74794fc180483318703d39b8d612a427102ffe017e9dd009437a5cad		 pdf-javascript-stream PDF /JS object 4 at offset 0xCB4C 247 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.