PDF malware analysis — malicious · dc690712459ecf58

MALICIOUS

PDF

498.2 KB Created: 2017-03-08 09:02:38 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))

MD5: def5aa6620531583c7df67cd38548636 SHA-1: 8662ecf8576c84666211a86d99a0d3ffb2cdf7a3 SHA-256: dc690712459ecf5883c992668903399834af0d035cb4f40fba1b77db9c208bc1

130 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged by multiple high-confidence heuristics, including a critical ClamAV detection for 'Unix.Trojan.PhpBackdoor-9354530-2'. The presence of an 'eval()' call within the PDF structure strongly suggests code execution, likely to load the detected backdoor. While no specific URLs or scripts were extracted, the ClamAV signature and the eval heuristic are sufficient to classify this as a malicious PDF delivering a backdoor.

Machine Learning

Nyx PDF Classifier malicious score 0.9940

Heuristics 3

ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off0000b910.bin` `a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xB910	264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.