Malicious PDF — malware analysis report

Static analysis result for SHA-256 e44b4b730d5c281d…

MALICIOUS

PDF

12.6 KB
MD5: 035f1dcfc5be12cf378f864c3f76c2c7 SHA-1: 741355e6d463b92bd261e100e872ade1f32a459e SHA-256: e44b4b730d5c281d6c4bed52169e76c074c0e0b3bad38cf1595741cc8bf3eb1b
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF was flagged as malicious by a machine learning classifier and ClamAV, with the latter identifying it as Pdf.Exploit.Pdfka-9. Analysis revealed embedded JavaScript, indicating an attempt to exploit vulnerabilities within the PDF reader. The primary attack vector appears to be the execution of this embedded script, likely to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0076_000.js
73d9f0f1369bc6eeb661c3a4c148abd9120ab9c0a3d71b1ddeb1818e544e6e21		 pdf-javascript-stream PDF /JS object 76 at offset 0x369 11832 bytes
Detection
ClamAV: Pdf.Exploit.Pdfka-9
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.