PDF malware analysis — malicious · 17bf50d7a9de6a9e

MALICIOUS

PDF

14.1 KB

MD5: f808e38deef0ebbddd41a4796377f5d6 SHA-1: 88f7d0d47399fbba4e56dec5e0db74bc9308c085 SHA-256: 17bf50d7a9de6a9edb207dab0f813c0b54a64eb76207c862cd59b0a06bb2da32

116 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Exploit.Agent-36962', and an ML classifier indicating high maliciousness. The presence of XFA forms and embedded files suggests an exploit targeting PDF rendering or form processing capabilities. The primary attack vector is likely spearphishing, with the PDF acting as an attachment designed to exploit a client execution vulnerability.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

ClamAV: Pdf.Exploit.Agent-36962 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36962
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.xfa.org/schema/xfa-locale-set/2.1/
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/1.0/
- http://www.xfa.org/schema/xfa-template/2.2/
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0041.bin` `c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb`	pdf-embedded-file	PDF EmbeddedFile object 41 at offset 0x2AE8	85 bytes
`embedded_file_obj0042.bin` `dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91`	pdf-embedded-file	PDF EmbeddedFile object 42 at offset 0x2B9A	1029 bytes
`embedded_file_obj0043.bin` `6f03c72de447e14766f0014f62267fed96f7ac22c54c485ead75824526a05793`	pdf-embedded-file	PDF EmbeddedFile object 43 at offset 0x2DB3	1837 bytes
`embedded_file_obj0044.bin` `3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169`	pdf-embedded-file	PDF EmbeddedFile object 44 at offset 0x3207	144 bytes
`embedded_file_obj0045.bin` `10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275`	pdf-embedded-file	PDF EmbeddedFile object 45 at offset 0x32B3	77 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.