Malicious PDF — malware analysis report

Static analysis result for SHA-256 f50a0268e5329358…

MALICIOUS

PDF

45.0 KB
MD5: f5619b41d043f5436d6a46759d134240 SHA-1: 58b3351baa5c6c6a738e6b934045170d34fd4a92 SHA-256: f50a0268e5329358a5306020d2ae6c795992b647588b03ce678fd5963afaa42f
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF containing embedded JavaScript, flagged by multiple heuristics including ML and ClamAV detection as malicious. The presence of JavaScript actions and streams indicates an attempt to execute code. The ClamAV detection name 'Pdf.Exploit.Agent-36128' suggests a known PDF exploit. The embedded JavaScript is likely responsible for exploiting a vulnerability within the PDF reader to achieve its malicious objective, such as downloading a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
0e71c0b23fb486aa96efb814bbb5cdac53444b8cdef498d02c412d695ddcace6		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
f3dfcb0bfdf2048e415e95e6154231899ce3812957af9d2adb8eeb4a3752687e		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.