Malicious PDF — malware analysis report

Static analysis result for SHA-256 7884ebdab0ededc0…

MALICIOUS

PDF

136.8 KB Created: 2011-09-08 05:03:17 Authoring application: FPDF 1.6
MD5: 3c980873b5fe8c8d58a592c5becbad86 SHA-1: 9cf2ed8bc9ea5b03581a48fb6bf4d235b31c3323 SHA-256: 7884ebdab0ededc03b7743b1079ffc3f55a94c6c9954ef9e80f0c79f21815909
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Exploit.Agent-36874', indicating it contains an exploit. The presence of an XFA form and an AcroForm button with an action trigger further suggests malicious intent. The ML classifier also strongly indicated maliciousness. The extracted document body content is heavily obfuscated and does not provide clear user-facing text, but the technical indicators point to a client-side exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-36874 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36874
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-data/1.0/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off000008ed.bin
83ba5f024ab8eb3af83ab39adb45769f0a5852be67e6b19d83119a93a47432b1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8ED 1429 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.