PDF malware analysis — malicious · 644bda08a07472e9

MALICIOUS

PDF

28.0 KB

MD5: d4befeb5c5833c7a1fa2520efeb67d6b SHA-1: 2eef6fd3515c132fbc043568652f9a196a2f5045 SHA-256: 644bda08a07472e99338e317c6aa0e63e44c62747056064580eccd8567906872

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF was flagged by a machine learning classifier and ClamAV as malicious, specifically detecting embedded JavaScript exploits. The presence of an XFA form suggests the use of advanced PDF features for exploitation. The embedded URL, while seemingly benign, is part of the exploit chain. The JavaScript likely attempts to download and execute a second-stage payload, a common technique for initial client execution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.