Malicious PDF — malware analysis report

Static analysis result for SHA-256 43b51a3f03c9a846…

MALICIOUS

PDF

28.3 KB
MD5: 3f3671982001b0f9be5fe8391df1f287 SHA-1: cbd4c8d63d301d265140f5020b52a3421391eb1d SHA-256: 43b51a3f03c9a846711c6b118e8b53bb61e6a6858be99d69855b03642885e0eb
68 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains XFA form elements and an embedded URL pointing to xfa.org, which is often associated with exploits targeting XFA processing. ClamAV detected this file as Js.Exploit.HTML-30, indicating the presence of JavaScript-based exploits. The embedded JavaScript likely attempts to download and execute a second-stage payload, contributing to the malicious verdict.

Heuristics 3

  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.