Malicious PDF — malware analysis report

Static analysis result for SHA-256 255a56d89c5e6f9e…

MALICIOUS

PDF

32.0 KB
MD5: 8d8758866ac80cb63566f29eff4728e6 SHA-1: 97497965b3a54bbb2c7563f2846268475f91c253 SHA-256: 255a56d89c5e6f9e04462527e3c816c9e4fbae3d387bbf1d1bdfcc4e7b6e7ae9
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains an XFA form, which is a known vector for exploitation. ClamAV detected it as Js.Exploit.HTML-30, indicating embedded JavaScript is used for malicious purposes. The embedded URL is likely part of the exploit chain. The JavaScript, though obfuscated, appears to be involved in the exploitation process, potentially downloading and executing a second-stage payload.

Heuristics 3

  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.