PDF malware analysis — malicious · f2aacc35c2bda005

MALICIOUS

PDF

45.0 KB

MD5: 8d41c0abab56055c1470e9f5312e138a SHA-1: eaa4b54012474075261d167337d934862b66246c SHA-256: f2aacc35c2bda005c5e2883a559aab80e8da644896f2861309f9f9288271dc1a

76 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file was detected by ClamAV as Pdf.Exploit.Agent-36128, indicating it contains a known exploit. Embedded JavaScript streams were found, which are commonly used to deliver second-stage payloads or exploit vulnerabilities within the PDF reader. The deobfuscated JavaScript suggests an attempt to execute malicious code.

Heuristics 3

ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0008_000.js` `a0767c9a5f582204b1f4b4e037cde4ee6ed30f2b00184af43734a8ef3bb35d26`	pdf-javascript-stream	PDF /JS object 8 at offset 0x1E7	45305 bytes
`legacy_pdfkit_stage_000.js` `36007f9f4e078976bc23cf81314d9b23a3c4be047a5764651a4564ff8c747000`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0x1E7	33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.