PDF malware analysis — malicious · 20219e17ce797532

MALICIOUS

PDF

28.0 KB

MD5: f4d56233db93118bd2970b6e730d4db7 SHA-1: 7c7814b5185fcedeedfd1b7293d74be062c8c307 SHA-256: 20219e17ce79753248648d3c949cdf1b639ce0ed34879d72538b0abca9686e29

100 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: Malicious File

The PDF file contains XFA form elements and embedded JavaScript, as indicated by the PDF_XFA heuristic and the content within the DOC BODY. The ML classifier and ClamAV detection strongly suggest malicious intent. The embedded JavaScript, although obfuscated, appears to be designed to download and execute a second-stage payload from the URL http://www.xa.org/schema/xfa-template/2.5/. This points to a common attack pattern for delivering further malware.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.