PDF malware analysis — malicious · 489125430b6d6a9a

MALICIOUS

PDF

6.6 KB Created: 2010-06-02 11:15:54

MD5: bc54713a111a6d9cfee13add959c25de SHA-1: 2a26492267ef20eec579349283ab35c40f077c46 SHA-256: 489125430b6d6a9aa21f4ff14d304e6b2be088e3310d728fe2736e57a064d2bf

76 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1059 Command and Scripting Interpreter T1059.001 PowerShell T1059.003 Windows Command Shell T1059.007 JavaScript

The PDF file contains multiple heuristic firings indicating malicious intent, including PDF_OPENACTION, PDF_XFA, PDF_FILTER_HEX, and PDF_ACROFORM_BUTTON. These indicators suggest the file is designed to exploit vulnerabilities within the PDF reader. The presence of ASCIIHexDecode filter with exploit indicators further supports this. No scripts were extracted from this sample, but the combination of PDF-specific exploits points to a common attack pattern for delivering malicious payloads.

Heuristics 4

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.