Malicious PDF — malware analysis report

Static analysis result for SHA-256 e337d50807545364…

MALICIOUS

PDF

8.0 KB
MD5: 2bb76b34850b4492b739aa99f7f92add SHA-1: 33e2750ecddf1a3942381ecbfbaae62e63ba285f SHA-256: e337d50807545364bd0c6fc4962142983462b0d8a2315fca5e01dcfa3343d146
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ClamAV detection 'Pdf.Exploit.Agent-35903' strongly suggests this is a known exploit. The embedded JavaScript stream, though not fully detailed here, is the likely vector for exploitation. The document body is unreadable, preventing a more specific assessment of the lure, but the presence of exploit code is clear.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-35903 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35903
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • syncAnnotScan annotation-staging primitive low PDF_FOXIT_SYNCANNOTSCAN
    PDF JavaScript calls syncAnnotScan() — a no-op annotation-enumeration primitive used by exploit-kit JavaScript to stage payload reads from annotation /Subject fields before eval(). Not a vulnerable sink itself; rarely seen in legitimate PDFs. (matched in decompressed stream)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000001d2.js
860eae5f96eb426380281c575a089242b50523bbb4bbb8dd765e582cd9c07d2e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D2 294 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.