MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is identified as malicious by ML classifiers and ClamAV with the signature Pdf.Exploit.Agent-36874. It contains an XFA form and an AcroForm button with an action trigger, indicating it is designed to exploit PDF vulnerabilities. The embedded artifact stream_001_off000008ed.bin likely contains the exploit payload.
Machine Learning
- Nyx PDF Classifier malicious score 0.9993
Heuristics 5
-
ClamAV: Pdf.Exploit.Agent-36874 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-36874
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.xfa.org/schema/xfa-data/1.0/
- http://ns.adobe.com/xfdf/
- http://www.xfa.org/schema/xfa-form/2.8/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_001_off000008ed.bin66faa817cac2b1e967c951f2734ea067ff315e81416ea8acb105788b1153add2 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x8ED | 1469 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.