Malicious PDF — malware analysis report

Static analysis result for SHA-256 db6a9de8b78af6be…

MALICIOUS

PDF

16.6 KB Authoring application: Xedeehagireuehoefovi (via Sahagipohesico)
MD5: ef83055eb7c610f8f16fbbdbf4f1ffaa SHA-1: dc0f9947f5db8fc14875d6e21818bb32279e3646 SHA-256: db6a9de8b78af6be4833f2fc44eeb427d61194b7c279be8d72e1e867423864c9
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including a high-confidence ML classifier and ClamAV detection as 'Pdf.Exploit.Agent-24092'. The presence of embedded JavaScript actions and streams indicates an attempt to execute malicious code. While the document body is unreadable, the technical indicators strongly suggest this PDF is designed to exploit vulnerabilities and download a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-24092 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-24092
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js
4dbcf10d04e0b59ba691940d5f2de54e36a6b11d4f473908e1ec3e0ae2dfe554		 pdf-javascript-stream PDF /JS object 26 at offset 0x3851 36749 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.