Malicious PDF — malware analysis report

Static analysis result for SHA-256 db1f6fa4b8ec4afc…

MALICIOUS

PDF

1.2 KB
MD5: cf1548c9cefff92f4abbea2699158dec SHA-1: 871e790dbdfa9c741bdd80df70ad7a508ea53ea2 SHA-256: db1f6fa4b8ec4afc0e53dedfe22dfffbc2588ba8f3d821da2ae498e3bfc04b18
84 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The critical ClamAV heuristic indicates the file is malicious, specifically identified as Pdf.Exploit.Agent-35903. Low-severity heuristics confirm the presence of embedded JavaScript within the PDF structure, which is commonly used to exploit vulnerabilities and download further malicious content. The embedded JavaScript stream is the primary mechanism for exploitation.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-35903 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35903
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000001d2.js
860eae5f96eb426380281c575a089242b50523bbb4bbb8dd765e582cd9c07d2e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D2 294 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.