Malicious PDF — malware analysis report

Static analysis result for SHA-256 55d8865e39bc06ab…

MALICIOUS

PDF

42.3 KB
MD5: fe208148a4a6e468f63156c51b5c30d2 SHA-1: 0b6e5890f68690b40e34aa720a30cfff22f13fe3 SHA-256: 55d8865e39bc06abd50a4e13c28c103b692a896e60a944c741b6bdde38261939
156 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Attachment T1553.005 Subversion: Mark-of-the-Web Bypass

The PDF file was detected by ClamAV as Pdf.Exploit.Agent-36830, indicating it contains known malicious exploit code. It also contains an embedded script payload and an embedded file, both common techniques for delivering malware. The embedded script is heavily obfuscated, making its exact function difficult to determine, but the overall structure points to a malicious PDF designed to exploit vulnerabilities or trick the user into executing a payload.

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-36830 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36830
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
6c7f25ad0fb744edfc7b79cccb10fcb36e04fd0bea45426c6a864074f1b56d7a		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 42575 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36830
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.