MALICIOUS
106
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file contains multiple embedded JavaScript streams and triggers, indicating an attempt to exploit vulnerabilities. The ClamAV detection 'Pdf.Exploit.Agent-2836' strongly suggests malicious intent. The embedded JavaScript actions likely serve to download and execute a secondary payload, a common technique for initial access.
Heuristics 7
-
ClamAV: Pdf.Exploit.Agent-2836 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-2836
-
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.jimkeogh.com/dtds/web-app.dtd)/S/URI
- http://java.sun.com)/S/URI
- http://ns.adobe.com/xap/1.0/
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/iX/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://dx.doi.org/10.1036/0072262109)/S/URI
- http://www.iec.ch
- http://www.w3.org/2001/XMLSchema)/S/URI
- http://saxon.sourceforge.net/)/S/URI
- http://msdn.microsoft.com/xml/default.aspx)/S/URI
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj1244_000.js82d725e755683b25db0216ebe9f73449f9f5dffa25fa7d0bf018422f5fdd38f3 |
pdf-javascript-stream | PDF /JS object 1244 at offset 0xF27F8 | 41 bytes |
javascript_obj1245_001.jsc0ac6bee8656b14ebcf971ba02ee1a41652dc53da3d88d0a476c470f8fe572ec |
pdf-javascript-stream | PDF /JS object 1245 at offset 0xF284B | 41 bytes |
javascript_obj1246_002.jsac3873bcc8ba37262cc5b6818b50e227ac58a9b785076a59cb7e80e36bc6fe60 |
pdf-javascript-stream | PDF /JS object 1246 at offset 0xF289E | 42 bytes |
javascript_obj1247_003.jsdb835677d9848d1ec23b290ee58b1cd4f64bb9c81672880ae70dff07969ec3b1 |
pdf-javascript-stream | PDF /JS object 1247 at offset 0xF28F2 | 42 bytes |
javascript_obj1248_004.jsc64eafef3a81630a0a16c29759bd5d55600f854f919f908ac80f931d00f71edf |
pdf-javascript-stream | PDF /JS object 1248 at offset 0xF2946 | 41 bytes |
javascript_obj1249_005.jscd62747e15225429503b804f8d3e15bc3597f5ef19aee3c870b3e4cb6bab6b48 |
pdf-javascript-stream | PDF /JS object 1249 at offset 0xF2999 | 42 bytes |
javascript_obj1250_006.jsfc380d633b810ffca0c2baa8485b76cd3764605ea4ee2ec5daa3c5380fe77346 |
pdf-javascript-stream | PDF /JS object 1250 at offset 0xF29ED | 41 bytes |
javascript_obj1251_007.jsd4327e4475b35336ecc327f4065b034f4d11e2c7b18d17c6f4df8d5f31d792ef |
pdf-javascript-stream | PDF /JS object 1251 at offset 0xF2A40 | 41 bytes |
javascript_obj1252_008.js639db8f60e5bef6c591f0e0a70cb5c083de97edafc5784ca07d746374802dbaa |
pdf-javascript-stream | PDF /JS object 1252 at offset 0xF2A93 | 42 bytes |
javascript_obj1253_009.js2300145bd388cb75bf3874951f43e4db8ac1d2478f53a791e0bd475d1ff49c10 |
pdf-javascript-stream | PDF /JS object 1253 at offset 0xF2AE7 | 42 bytes |
javascript_obj1254_010.js8cd82b5a8caf29cb4c9cfe1475fe4d3a26d4cf7abe0109154d6b3fed1129eb8f |
pdf-javascript-stream | PDF /JS object 1254 at offset 0xF2B3B | 41 bytes |
javascript_obj1255_011.js18167ebf8eecd405c3488c4d9de85060aa8cd537f33974e228cfb98931177c37 |
pdf-javascript-stream | PDF /JS object 1255 at offset 0xF2B8E | 42 bytes |
javascript_obj1258_012.jsdb53c2c0afce781f3b4f708fba1dead8b7ebbf9a99c512df79c9c04aa9395396 |
pdf-javascript-stream | PDF /JS object 1258 at offset 0xF2C8A | 41 bytes |
javascript_obj1259_013.js9357a0a2566409e72c07f95c8a7d2d3a65d0a8ce8da08eaeffec947c37d92f26 |
pdf-javascript-stream | PDF /JS object 1259 at offset 0xF2CDD | 41 bytes |
javascript_obj1260_014.jsf0c3395ae49fe9193b4f67a5c02824cb99b0405fd4aa02a5f9f69a71db8212cc |
pdf-javascript-stream | PDF /JS object 1260 at offset 0xF2D30 | 41 bytes |
javascript_obj1261_015.js4c6ce411f7a2a26f04488d9813e784e6605587e743cd44b8c1dbc5b9dd026fb9 |
pdf-javascript-stream | PDF /JS object 1261 at offset 0xF2D83 | 41 bytes |
javascript_obj1262_016.js2febdad12bb5011cd21cff6fcba4973f12674a8bad399002dff8c7ed2d7e7cab |
pdf-javascript-stream | PDF /JS object 1262 at offset 0xF2DD6 | 41 bytes |
javascript_obj1263_017.js83974bf7cc119f9532f89412a91ce6d0442a8aa2688fe823dbc56f41de74a4ad |
pdf-javascript-stream | PDF /JS object 1263 at offset 0xF2E29 | 41 bytes |
javascript_obj1267_018.js75a68c88d9874d04653224f587690702b6ec355aeb716791c3571e62c721e762 |
pdf-javascript-stream | PDF /JS object 1267 at offset 0xF2F75 | 41 bytes |
javascript_obj1274_019.jsbd104ab8c5c01606b4d1433bd34b63f4d5193596f4c073c3a39e27db5802f8e2 |
pdf-javascript-stream | PDF /JS object 1274 at offset 0xF31BD | 42 bytes |
javascript_obj1276_020.js775dc0fade19b1987bcecf68dd130886a16416bf5377c493cb11df77eb4c101f |
pdf-javascript-stream | PDF /JS object 1276 at offset 0xF3264 | 41 bytes |
javascript_obj1277_021.jsfdf78c0ccda23b192b10b8823722c2b728cc695a1ee1b4f3a2b164fd0acef5fd |
pdf-javascript-stream | PDF /JS object 1277 at offset 0xF32B7 | 42 bytes |
javascript_obj1278_022.js2ce916b0f03f3a7ec20966c13a15d5a89451c84579983f4214996b68c9f1fc35 |
pdf-javascript-stream | PDF /JS object 1278 at offset 0xF330B | 41 bytes |
javascript_obj1279_023.jsb1186e20216416d3260d6d0fe65de3ee15363ac91e0a60fe17a9b2708f318a55 |
pdf-javascript-stream | PDF /JS object 1279 at offset 0xF335E | 41 bytes |
javascript_obj1282_024.js474a353370d6e661df2680ecb6eee578b64cb7cd2141035b2a2c1e8752a712be |
pdf-javascript-stream | PDF /JS object 1282 at offset 0xF3457 | 41 bytes |
javascript_obj1284_025.js759defdde2dc3877abbb405a152abf8a4fa624c409cd3af52647d5b8deadfdfb |
pdf-javascript-stream | PDF /JS object 1284 at offset 0xF34FD | 41 bytes |
javascript_obj1286_026.jsf6001b592af914d4d2f886c3fd0f93c6ba118b6688794b28ac6c55406ca14968 |
pdf-javascript-stream | PDF /JS object 1286 at offset 0xF35A3 | 42 bytes |
javascript_obj1287_027.js5ad088ddbebefcf8f1e2840d339ac220e2cadf22b82fc27c06cd78ece4a33ba5 |
pdf-javascript-stream | PDF /JS object 1287 at offset 0xF35F7 | 42 bytes |
javascript_obj1288_028.js22caf5ec197e50a5969e46fcef64376be863846bec5f6b13707a9f1da0468b4e |
pdf-javascript-stream | PDF /JS object 1288 at offset 0xF364B | 41 bytes |
javascript_obj1290_029.jsa68484e5ce3091a5075d7e132d36f699e8e5f51bdc49ff211b219dfde2ecdd43 |
pdf-javascript-stream | PDF /JS object 1290 at offset 0xF36F1 | 41 bytes |
javascript_obj1291_030.js58467034faedd488f90451b6fbc46f017d888e17aab49a8e7ddda7956f7894d2 |
pdf-javascript-stream | PDF /JS object 1291 at offset 0xF3744 | 41 bytes |
javascript_obj1292_031.js9fb7a061fa0f550ab583a020d1f7699066ae317390a6c2c515b7376fa275f842 |
pdf-javascript-stream | PDF /JS object 1292 at offset 0xF3797 | 41 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.