PDF malware analysis — malicious · 220a4d56e551370a

MALICIOUS

PDF

46.4 KB

MD5: 72f9bd328767690b23b4ce632aeb5be7 SHA-1: e764981312fee567546842ae6ca8926849d46554 SHA-256: 220a4d56e551370a7981fccf1b08b4b3a0220b71c4ba22ed806dc0492f2e1573

68 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious PDF T1059.001 Command and Scripting Interpreter: PowerShell

The critical ClamAV heuristic indicates this PDF is a known exploit, specifically 'Pdf.Exploit.Dropped-78'. The presence of an XFA form, identified by the PDF_XFA heuristic, is a common vector for exploiting vulnerabilities in PDF readers. The embedded URL, while seemingly benign, is likely part of the exploit chain. The obfuscated JavaScript within the document body, when decoded, reveals a pattern consistent with downloading and executing a second-stage payload, likely leveraging the XFA vulnerability.

Heuristics 3

ClamAV: Pdf.Exploit.Dropped-78 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-78
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.