PDF malware analysis — malicious · 35fd9b4eeb4791d3

MALICIOUS

PDF

155.7 KB

MD5: 75ca631e8ff9eac40bf5d018bd9625eb SHA-1: 7373d388c661c2f7bdf4be9aba4229a73457826b SHA-256: 35fd9b4eeb4791d3b0deb7e5db1606457ea8e4b3aa064aac9492a3848a0b2435

84 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript and is flagged by ClamAV for obfuscated objects, indicating malicious intent. The embedded JavaScript is likely designed to download and execute a second-stage payload from one of the extracted URLs. The XFA form structure also suggests a potential vector for exploitation.

Heuristics 5

ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `c4ba3591c3074e8fbc2f51681f2267ae4d6650196a96437268cf3aa864f515e3`	pdf-javascript-stream	PDF /JS object 12 at offset 0x262D5	5835 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.