Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3c12580c602b2bf…

MALICIOUS

PDF

37.8 KB Created: 2010-04-19 21:56:58 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))
MD5: 17c2ea870753a198a40248bb205f9b5e SHA-1: dba910fa21d9e31cfa65dd0b44bbe2c489cd4065 SHA-256: e3c12580c602b2bfa0072c2d6247b3566360db02c3d33eb903a838b1e439a6e6
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT and PDF_JS. The ClamAV detection of 'Pdf.Exploit.Agent-23563' strongly suggests this is a known PDF exploit. The embedded JavaScript is likely responsible for triggering the exploit, leading to the execution of malicious code. The document body text is garbled and does not provide further context on the lure.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-23563 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-23563
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0010_000.js
67bf9716993e95783a6d15b7eaf3f4ef29d164fc682e59f921125ece643d577a		 pdf-javascript-stream PDF /JS object 10 at offset 0x8CF4 1346 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.