Malicious PDF — malware analysis report

Static analysis result for SHA-256 427b688bbf1da15b…

MALICIOUS

PDF

42.6 KB
MD5: 36201abb306e1fed15368c6e06393c0c SHA-1: 3c42e8f89c369fbac788e329a1f16bb8a5bca1e8 SHA-256: 427b688bbf1da15bb699fdb0f4edd91edfa2c60ed102cf047336b938d0ee2eb2
186 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution

The file is identified as malicious by ClamAV with the signature Pdf.Exploit.Agent-36830. Static analysis revealed embedded script payloads and embedded files within the PDF structure, indicating an exploit attempt. The ML classifier also strongly flagged this PDF as malicious. The primary IOC is the ClamAV detection name.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-36830 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36830
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 46 bytes
embedded_file_obj0009.bin
911948c498c37cf7c7e4a53ea3f886fe2a63616fa37d790152776ba61ff027e8		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x13C 685 bytes
embedded_file_obj0010.bin
8259db878f85521b2ee9c7ec108d34b19d3b6c900af7d501b5135c2cd3dcfde6		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x434 168 bytes
embedded_file_obj0011.bin
000ba17dc6ef466ea4911773d05d06143111c94c91182d6c3699ff4cc40f4f70		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x527 446 bytes
embedded_file_obj0012.bin
d2f06f3fc6900856fe613a64a561919c8454dcbe0fdf238fb8b43e07016955ea		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x730 190 bytes
embedded_file_obj0014.bin
a523254b96c134a8423c6e3c7b2d4a9647c90d0a75ba582cff9fb219fbbc8507		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x83B 40858 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36830
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.