PDF malware analysis — malicious · 247c9d94ce492de5

MALICIOUS

PDF

45.2 KB

MD5: 3fbfdf4168287c26419cc8ffbb4918fe SHA-1: a3c72ecf70c229c26395a04e430dcd5ae05ae9aa SHA-256: 247c9d94ce492de5a4e8b18ba85af233530ad8aaacd64a44a841a32fb706d212

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was flagged by ClamAV with 'Heuristics.PDF.ObfuscatedNameObject', indicating malicious obfuscation. Embedded JavaScript streams were also detected, suggesting the execution of arbitrary code. The presence of XFA forms and JavaScript actions points towards a sophisticated attack vector. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, although its exact function is obscured.

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `6e92a8956e6157ea67ebd70dd60f078a7e186dbe24fe9004db2497b5d5dca196`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA1E3	3628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.