Malicious PDF — malware analysis report

Static analysis result for SHA-256 441aa8f2d1b3438c…

MALICIOUS

PDF

136.8 KB Created: 2011-09-08 05:03:17 Authoring application: FPDF 1.6
MD5: 3c33133583f2067781f32f295ffdddf6 SHA-1: 9fdfd0b8b55095d0c7ec75aa4b8727cca567519f SHA-256: 441aa8f2d1b3438cbc4a2530b5d3a4b56518a269fe725d088070534f5703c0f0
78 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Pdf.Exploit.Agent-36874. Static analysis revealed the presence of an XFA form and an AcroForm button with an action trigger, both common components in PDF exploits. An embedded, decompressed PDF stream was also detected, suggesting the potential for further malicious content or exploit code delivery.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36874 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36874
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000008ed.bin
86969c5033620af5351991ff1f7b62178f3b4126f88b3c3c9cc8c703eeae6d07		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8ED 1439 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.