Malicious PDF — malware analysis report

Static analysis result for SHA-256 280b62f9085250c7…

MALICIOUS

PDF

82.6 KB
MD5: daa698887f2ee5d5bda8e906bff7b78a SHA-1: 5c73aa654f49b98992060a578ba60e5bbef21cd3 SHA-256: 280b62f9085250c76fcd8b0f888754daa15775c7559d898abdf6ece2b9ceffe0
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF was flagged by multiple high-confidence heuristics, including ML classification and ClamAV detections, indicating it contains an exploit. The presence of an XFA form and an embedded script payload strongly suggests it's designed to execute malicious code. The embedded artifact, identified by ClamAV as Pdf.Exploit.Agent-36769, further confirms its malicious nature. The attack pattern is likely a user-assisted execution of a malicious PDF.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
024036506bd245b54443c680ff5dc012c5c4dee2e03bab9d1e593cf346b33024		 pdf-embedded-script PDF raw stream script payload at offset 0x246 83839 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36769
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.