Malicious PDF — malware analysis report

Static analysis result for SHA-256 e367aa2b22206e5c…

MALICIOUS

PDF

236.0 KB Created: 2010-07-02 08:58:56 -07:00
MD5: ec0adefabd4e8a61c576bfa3e4adb297 SHA-1: f7f1b57bdcf3640dd0a5978211f610e8d55aa73a SHA-256: e367aa2b22206e5c2d094ad008b9883df1e1942a8814b9858267d3f787cb55bc
158 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple high-severity heuristic firings, including PDF_JAVASCRIPT, PDF_JS, PDF_EMBEDDED, and PDF_RICHMEDIA, indicating the presence of potentially malicious embedded content. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically identifying it as Win.Trojan.Agent-36159. While the embedded JavaScript stream itself is not directly readable due to obfuscation or truncation, its presence, along with RichMedia content, points towards an attack pattern designed to exploit vulnerabilities or download further malicious components. The benign URLs extracted do not provide specific IOCs for malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9872

Heuristics 7

  • ClamAV: Win.Trojan.Agent-36159 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Agent-36159
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_0035_00.bin
52bd955d0fa873e8d711320d6f487289717adf877fdd263a36eedac4537e03e9		 pdf-objstm-decoded PDF /ObjStm 35 0 obj (inflated) 1993 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.