Malicious PDF — malware analysis report

Static analysis result for SHA-256 26e6126b19eb2ea8…

MALICIOUS

PDF

100.6 KB
MD5: f296994c849e9895a094fa3becdebb24 SHA-1: 63456067af9e4c838cf2aee8753a05fb39686ac0 SHA-256: 26e6126b19eb2ea80ee3dd4b9b3b96fb79c269b5321373101a6dd2a575a6e188
118 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF document identified as malicious by ClamAV and an ML classifier. It contains an embedded script payload and utilizes XFA forms, indicating an exploit attempt. The embedded script is likely responsible for executing malicious actions, potentially downloading further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
632e4a9c11127c29d0386a8efc08298c65f1e0a03afce0e5d5ba8a3ee4d76f73		 pdf-embedded-script PDF raw stream script payload at offset 0x246 102343 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.