Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb303cee35f2bb93…

MALICIOUS

PDF

35.5 KB Created: 2009-05-01 21:21:45 Authoring application: tvEeSFCPx (via NeTSnrx)
MD5: 23c02688164f132fed3d58a03cb4cdc9 SHA-1: 7964c3748c1eff40609a77116124f813ecfe881d SHA-256: eb303cee35f2bb935af9c102c45093a088f9a8039df80f57a0d9f07dc1c8d2a9
190 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.007 JavaScript T1204.002 Malicious File

This PDF file was flagged as malicious by ClamAV and a machine learning classifier. It contains embedded JavaScript streams that utilize `eval()` and `unescape()` functions, indicating obfuscation and likely malicious intent. The primary function of the script appears to be downloading and executing a second-stage payload, as suggested by the heuristic firings and the nature of the embedded JavaScript. The specific exploit used is not detailed, but the presence of JavaScript actions and streams points to a common PDF exploitation vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-11505 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-11505
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
d68722ea6fcad0bed046c8b5858362c5890dbc067bde214bebdc4092376ba45e		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35126 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0007_001.js
501f040449e88259b38c0010760d12a2bdc013326d2011ce3e72d4962f60a263		 pdf-javascript-stream PDF /JS object 7 at offset 0x215 35039 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.