Malicious PDF — malware analysis report

Static analysis result for SHA-256 f785c40b921f964f…

MALICIOUS

PDF

15.0 KB Created: 2009-06-06 12:30:26 +03:00 Authoring application: NitroPDF 6.0 (via BCL easyPDF 6.00.20)
MD5: 56976fdec2e7a88e895fc0b6cc641278 SHA-1: 49d4c14133df1dbb7a5ed19b52f8f1fea30a1bd1 SHA-256: f785c40b921f964fc80656fb00b38aaa19c6b7bb6dc6ef1fb13ef81864b959cf
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript, indicated by multiple heuristic firings including PDF_JAVASCRIPT, PDF_JS, and PDF_EVAL. The ClamAV detection of 'Pdf.Dropper.Agent-1829106' strongly suggests its malicious nature. The presence of a large JavaScript file ('javascript_obj0015_000.js') and the use of eval() point towards the execution of obfuscated code, typical for downloading and executing further malicious content. The document body is heavily obfuscated and does not provide clear user-facing text, reinforcing the idea that the primary interaction is through the embedded script.

Heuristics 6

  • ClamAV: Pdf.Dropper.Agent-1829106 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1829106
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
cb2979e7b0cb21e5b7b2ce8b4e6a70d43a64bd48ef939849e5903ddc5f065e07		 pdf-javascript-stream PDF /JS object 15 at offset 0x315 29328 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.