Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a40e19f2fb4d49a…

MALICIOUS

PDF

21.6 KB
MD5: 8db5215706e25de6ffbab0584c36af44 SHA-1: 44f26ce4020cff22b580b53855925a3dd492d061 SHA-256: 4a40e19f2fb4d49adb0a89b2cf4eaaa8df81d6a4c23910076e7bb48a4dc98510
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File

The critical ClamAV heuristic 'Pdf.Exploit.Agent-36830' strongly indicates this PDF is malicious and exploits a known vulnerability. The presence of embedded files and XFA forms are common characteristics of malicious PDFs. While no specific script was extracted, the PDF structure and heuristic suggest it's designed to download and execute a second-stage payload.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36830 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36830
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Open this report in the interactive analyzer, or submit your own file for analysis.