PDF / .PHP malware analysis — malicious · e51110556c0a9268

MALICIOUS

PDF / .PHP

37.0 KB Created: 2010-04-11 20:48:53 +04:00 Authoring application: TCPDF (via TCPDF 4.8.032 (http://www.tcpdf.org))

MD5: 2117185980d3ba691acaad90f9e3f62f SHA-1: 8adb266d64fd433f480fd5d28bee695b551a0407 SHA-256: e51110556c0a9268d75bbd44d01e93eb0259d742c29bf66cf9643c2b71a155d6

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The file is detected as malicious by ClamAV with the signature Pdf.Exploit.Agent-22609. Static analysis revealed embedded JavaScript within a PDF structure, indicating an attempt to exploit a vulnerability. The JavaScript action and embedded JS stream heuristics confirm the presence of executable code. The exact behavior of the script is not fully discernible due to potential obfuscation, but its presence within a PDF exploit signature strongly suggests it's designed to download and execute a secondary payload.

Heuristics 4

ClamAV: Pdf.Exploit.Agent-22609 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-22609
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT

Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0010_000.js` `f9e35931cb8144dadf6843105c72bb18dcdea603c07ce51802849448b520e7a6`	pdf-javascript-stream	PDF /JS object 10 at offset 0x89C6	1344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.