Malicious PDF — malware analysis report

Static analysis result for SHA-256 dbfd6ca8809c2e88…

MALICIOUS

PDF

126.3 KB Created: 2009-08-11 12:43:52 Authoring application: Scribus 1.3.3.13 (via Scribus PDF Library 1.3.3.13)
MD5: b6bc2b5246787c4b37067bf59831ed37 SHA-1: dddfbcd44b280a3909b7d37202bc63ffd20795ad SHA-256: dbfd6ca8809c2e881340b69edf5ca65e807815446083086ca65ddb4954172ead
110 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

This PDF file was flagged as malicious by ClamAV and an ML classifier. It contains embedded JavaScript streams, indicating an attempt to execute code. The presence of PDF_JAVASCRIPT and PDF_JS heuristics confirms the use of JavaScript within the PDF structure. While the exact payload is not discernible due to obfuscation or truncation, the overall pattern suggests a typical exploit delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9734

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-22709 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-22709
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0062_000.js
a498b892a1baa6e21b80f6631968515bce41795ec99e6643e29b9a2a3171a3d1		 pdf-javascript-stream PDF /JS object 62 at offset 0x12770 100595 bytes
javascript_obj0063_001.js
2f3a49b423601632167df242cd6e8cd1a80236c63d70a2f665a48bae524a78fc		 pdf-javascript-stream PDF /JS object 63 at offset 0x1C5EE 28812 bytes
javascript_obj0064_002.js
4762aee85fcb17295913f060254a4108320714dadd8d76ff804206d9cfb3ad1c		 pdf-javascript-stream PDF /JS object 64 at offset 0x1EF2A 87 bytes
javascript_obj0065_003.js
5cd3539cfb3d20617d0e4b4cd52d5b72447b4b3a8b0788f37c79de594d957fa2		 pdf-javascript-stream PDF /JS object 65 at offset 0x1EFBA 87 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.