Malicious PDF — malware analysis report

Static analysis result for SHA-256 48511e1e9676ba40…

MALICIOUS

PDF

97.1 KB
MD5: 47bfa3c23a0d1583c2d8b69e0487fc46 SHA-1: 7a517ffb36d03fc83244ad7de82e28632adc1c64 SHA-256: 48511e1e9676ba40d406ae977edbb532b4878d19274e87a2dd19a85e5dc61e69
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file utilizes XFA forms, a known vector for exploitation. A critical ClamAV detection (Pdf.Exploit.Agent-6136306-0) confirms its malicious nature. An embedded script payload was also identified, likely responsible for executing the exploit. The exact nature of the payload and its ultimate goal could not be determined due to the obfuscation of the embedded script.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000026c.bin
5d566422782d6c74c8d395f429c861bc093728274f173819d2e088b2ca68c1d4		 pdf-embedded-script PDF raw stream script payload at offset 0x26C 98659 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.