Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cff539d0b46097c…

MALICIOUS

PDF

31.7 KB
MD5: ffaf6fc387e0e67e097903ac0f00766a SHA-1: eab47a331cfe3e421398535443fdea006051c202 SHA-256: 1cff539d0b46097c1d98fe5915c746f022872ba0695444634182bfdf6460bd09
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains an XFA form and is detected by ClamAV as Js.Exploit.HTML-30, indicating it likely contains malicious JavaScript. The embedded URL points to an XFA schema, which is often abused in exploits. The JavaScript, although partially obfuscated, appears to be designed to trigger an exploit, likely leading to the download and execution of a second-stage payload.

Heuristics 3

  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.