Malicious PDF — malware analysis report

Static analysis result for SHA-256 f144de7276534431…

MALICIOUS

PDF

57.3 KB Created: 2009-12-21 13:51:43 +03:00 Authoring application: manyTypeAre (via 43dd49b4fdb9bede653e94468ff8df1e)
MD5: 57349f075de0af2ff495c6cf425bca93 SHA-1: 8239d3db30f1527a01e1ddd3fc5b93c189fdb567 SHA-256: f144de72765344314b13a0b25c4c0724d879f48f4537e25a6f9f2e51734aac09
84 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains multiple embedded JavaScript streams, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The ClamAV detection of 'Pdf.Dropper.Agent-7322577-0' strongly suggests this is a dropper. The embedded JavaScript is likely responsible for downloading and executing a secondary payload, which is a common technique for malware distribution. The document body text appears to be obfuscated or irrelevant, providing no direct clues to the lure.

Heuristics 4

  • ClamAV: Pdf.Dropper.Agent-7322577-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7322577-0
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
d8cb9905b5ca98d42f3bf9d8f6bd68aa42f046f9704ff2ef7c95ae0cc0815bd8		 pdf-javascript-stream PDF /JS object 17 at offset 0x27CA 1532 bytes
javascript_obj0018_001.js
b3bdb81aa98ced4998284f3768b0348c2f8436b9674eeb7f8ffac3913d2e1ea2		 pdf-javascript-stream PDF /JS object 18 at offset 0x2E04 4096 bytes
javascript_obj0019_002.js
12102ac2ab6256169b1b230c3fd36b9eba673ad00791290b3e5add85b095db96		 pdf-javascript-stream PDF /JS object 19 at offset 0xC725 2576 bytes
javascript_obj0020_003.js
b631107836447ce28210e01a528d09477037bd0c1d2851f686e6916948b0519f		 pdf-javascript-stream PDF /JS object 20 at offset 0xD188 902 bytes
javascript_obj0021_004.js
c89794ee0e5327b7d41e258419d43f7f5ae630b1568bee9889a3fd3bf212f855		 pdf-javascript-stream PDF /JS object 21 at offset 0xD548 2486 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.