MALICIOUS
116
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The critical ClamAV detection and multiple PDF-specific heuristics indicate this is a malicious PDF. The presence of embedded JavaScript, noted by PDF_JAVASCRIPT and PDF_JS firings, suggests the document is designed to execute code. The PDF_ENCRYPTED_WITH_JS heuristic confirms that the JavaScript is used to obscure the exploit payload, making static analysis difficult. The ClamAV detection name 'Pdf.Exploit.Agent-24140' directly points to an exploit being present.
Heuristics 4
-
ClamAV: Pdf.Exploit.Agent-24140 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-24140
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0032_000.js4da4f73f6618057b400e95eb90896b30eebd559b412ef35499db75cc5f969607 |
pdf-javascript-stream | PDF /JS object 32 at offset 0x2038 | 42 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.