PDF malware analysis — malicious · d840d27973799e09

MALICIOUS

PDF

2.03 MB Created: 2016-01-19 00:42:56 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: f5ad831b6006af2c9cc3843afcbc9feb SHA-1: 977ae5ec5a3bf43efcdc345192ce4b600f725751 SHA-256: d840d27973799e09a68a1b624531c16dfbfd00db061199dd596b97cc6ddca110

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and a ClamAV signature for Unix.Trojan.PhpBackdoor-9354530-2, indicating malicious intent. A PDF_EVAL heuristic firing suggests the presence of obfuscated JavaScript or similar code within the document, likely intended to exploit vulnerabilities for further payload delivery or execution. The document body itself is heavily truncated and unreadable, providing no direct clues to the lure.

Machine Learning

Nyx PDF Classifier malicious score 0.7301

Heuristics 3

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://www.iec.ch

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_008_off0000cd2b.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xCD2B	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.