PDF malware analysis — malicious · 6f1b9a420bdb60b2

MALICIOUS

PDF

31.6 KB

MD5: 0fd8d9c17ac53b0856d9bae73ebc7793 SHA-1: ecb34bac9f268b3b9843d15a37a23d3a322e5015 SHA-256: 6f1b9a420bdb60b29a2c7127868afe249d759f4ff41602df3d95d2639da08b96

100 Risk Score

Malware Insights

MITRE ATT&CK

T1059.007 JavaScript T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF was flagged by ClamAV as Js.Exploit.HTML-30 and by an ML classifier as malicious. It contains an embedded URL and utilizes XFA forms, which are known to be exploited to execute JavaScript. The JavaScript code appears to be obfuscated but likely attempts to download and execute a secondary payload, indicated by the embedded URL.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.