Malicious PDF — malware analysis report

Static analysis result for SHA-256 e241c1069bf40414…

MALICIOUS

PDF

45.0 KB
MD5: 4d995f6aec097b52648900aa4950a997 SHA-1: c1fba7cb2a348239e43050fef8e283160bda957d SHA-256: e241c1069bf4041438ea6f85f7a3a01a4b23c052e369ed1a8fbc5f2f959b30d8
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates the file is malicious, specifically identified as Pdf.Exploit.Agent-36128. The PDF structure contains embedded JavaScript, which is a common technique for exploiting vulnerabilities and delivering further malicious content. The presence of JavaScript actions and embedded JS streams strongly suggests an attempt to execute code upon opening the PDF. The exact functionality of the JavaScript is not fully discernible due to potential obfuscation, but its presence is a key indicator of malicious intent.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
4d1a94996a827c064f0fc62aec820c47d64c54d15a7f1d33fd689b8d9bfa0982		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
fd59417135a519e5e60d5899f4f25d0fc0a203000e35d4a47fb53b4182b8d26e		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.