Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddc9cedcd770be4a…

MALICIOUS

PDF

292.6 KB Created: 2017-03-08 09:38:56 Authoring application: Joomla! 1.5 - Open Source Content Management (via TCPDF 2.5.000_PHP4 (http://www.tcpdf.org))
MD5: 2090c588979bd8d94f7ed0d5d42b43a4 SHA-1: 8e6bb1449eab7761d47ab5e365687d331f530c83 SHA-256: ddc9cedcd770be4a1659c0deaf2597639879115209ca617c7acb01615fa11a54
132 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier and a critical ClamAV rule as a backdoor. The presence of an eval() call within the PDF structure suggests dynamic code execution, which is a common technique for delivering backdoors. The ClamAV detection name 'Unix.Trojan.PhpBackdoor-9354530-2' strongly indicates the nature of the payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9921

Heuristics 2

  • ClamAV: Unix.Trojan.PhpBackdoor-9354530-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Unix.Trojan.PhpBackdoor-9354530-2
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000b915.bin
a5337ef1f5a0dfe4dc8fa6b4f3ef847a53624800b5928a0eeef5b888ceecaabc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB915 264072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.