MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
The file is identified as a malicious PDF by ClamAV with the signature Pdf.Dropper.Agent-7329020-0. Static analysis revealed embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The deobfuscated JavaScript file, legacy_pdfkit_stage_000.js, is suspicious and likely responsible for downloading and executing a second-stage payload. The obfuscated nature of the script suggests an attempt to evade detection.
Heuristics 4
-
ClamAV: Pdf.Dropper.Agent-7329020-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7329020-0
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0008_000.jsa142a7865296e7c4355acf88a7e8ebdb36bf27fb69fa9dd23144d29680ee23e8 |
pdf-javascript-stream | PDF /JS object 8 at offset 0x1E7 | 2205 bytes |
legacy_pdfkit_stage_000.jsc3df0b6d669953258363ab802ac0d32c63d5685d76eb2e0ad1f70f86b924f691 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0xAB8 | 1256 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.