Malicious PDF — malware analysis report

Static analysis result for SHA-256 d607fecde19302a8…

MALICIOUS

PDF

3.3 KB
MD5: 965f802b0929cb4a4559de19faa0fe11 SHA-1: ee389719e470d2445beb66db2e90b2ec1f666770 SHA-256: d607fecde19302a86f54a39515990c4455184e164f9494b09f38b773a8da28eb
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, as indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. ClamAV detection as 'Pdf.Exploit.Agent-36121' strongly suggests it exploits a known PDF vulnerability. The embedded JavaScript is likely responsible for the malicious behavior, potentially downloading and executing a second-stage payload. Due to the lack of specific script content, the exact family is unknown.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36121 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36121
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
1ddbad923df128d0814eea021c1a55f1ac2ec987f86a241726ed0f58dcd68e0c		 pdf-javascript-stream PDF /JS object 7 at offset 0xA8B 354 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.