Malicious PDF — malware analysis report

Static analysis result for SHA-256 ffa154c82c43ff2d…

MALICIOUS

PDF

45.0 KB
MD5: 39bac7bc6ff7d767ef5ee7e12a5e3620 SHA-1: c866bf91ca9a6382f8deb2f5d783e9d4185efd29 SHA-256: ffa154c82c43ff2dd4777eba49d25950bce2d20c87fac6332a4874f8869a35f0
76 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates this PDF is malicious, specifically identified as Pdf.Exploit.Agent-36128. The presence of embedded JavaScript, detected by PDF_JAVASCRIPT and PDF_JS heuristics, strongly suggests an exploit is being used to run code. This JavaScript is likely responsible for downloading and executing a secondary payload, a common technique for initial access.

Heuristics 3

  • ClamAV: Pdf.Exploit.Agent-36128 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36128
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
5c06c47ac31ef2eb903b672d2815d73428365c1c963bc535370e7ba79dfa5382		 pdf-javascript-stream PDF /JS object 8 at offset 0x1E7 45305 bytes
legacy_pdfkit_stage_000.js
94e386ab8b201f73d907232a991ae3068252cfcbeb454f468645bdf4fd255952		 deobfuscated-js double percent-decoded annotation JavaScript at offset 0x1E7 33047 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.