MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1204 Malicious Link
T1204.002 Malicious Link: Malicious File
The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Exploit.Agent-36962' and an ML classifier indicating high maliciousness. The presence of an embedded file and an XFA form further suggests a malicious intent, likely to exploit a vulnerability and deliver a secondary payload. The embedded URL is suspicious and could be part of the exploit chain.
Machine Learning
- Nyx PDF Classifier malicious score 0.9996
Heuristics 7
-
ClamAV: Pdf.Exploit.Agent-36962 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-36962
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://2.lulabox.org/links/draws_destroyed.php?oozgbzmc=1i:32:1n:32:32&fhvab=1g:1m:1k:1l:31:2v:30:2w:1h:1l&rucfsydw=1g&ofijr=cvgrzxp&kztlwgu=qguja Referenced by PDF JavaScript
- http://2.lulabox.org/links/draws_destroyed.php?dkgi=1i:32:1n:32:32&fhaefe=1l:2w:1o:2w:30:1h:1j:1k:1n:1n&vkad=1g&shncoq=wjl&xxvkfjcz=pmmvhapReferenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.2/Referenced by PDF JavaScript
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0041.bin |
pdf-embedded-file | PDF EmbeddedFile object 41 at offset 0x28B1 | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj0042.bin |
pdf-embedded-file | PDF EmbeddedFile object 42 at offset 0x2963 | 1029 bytes |
SHA-256: dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91 |
|||
embedded_file_obj0043.bin |
pdf-embedded-file | PDF EmbeddedFile object 43 at offset 0x2B7C | 1866 bytes |
SHA-256: cc9bf9b4bff960fcc875cced8773f18df40c06e7a9fe9a44ed7dafd435f6cc72 |
|||
embedded_file_obj0044.bin |
pdf-embedded-file | PDF EmbeddedFile object 44 at offset 0x2FD4 | 144 bytes |
SHA-256: 3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169 |
|||
embedded_file_obj0045.bin |
pdf-embedded-file | PDF EmbeddedFile object 45 at offset 0x3080 | 77 bytes |
SHA-256: 10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.