Malicious PDF — malware analysis report

Static analysis result for SHA-256 d985212938165a1a…

MALICIOUS

PDF

45.0 KB
MD5: 5753a6ebe3a352d83eadf9dbeb7edd5e SHA-1: b558956d865ab466329fa50c5b2c3c6a5e7ff199 SHA-256: d985212938165a1a2aef28f93829c3f881a40910b3425e5a563e311b20c517c9
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates this PDF is malicious, specifically identified as 'Pdf.Exploit.Agent-36128'. The presence of embedded JavaScript, both as a raw stream and a deobfuscated version, strongly suggests an exploit is being used to execute this script. The script's likely purpose is to download and execute a second-stage payload, a common technique for initial access.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
88a3a25c1559881001af189ba617a3a9484db700bb28884679fabe74d91acc0f		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
33082d48b2e312de05b150e5b2a618c48e8291c6c036b89a789004b014ee06d2		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.