MALICIOUS
176
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF contains malformed active content and triggers heuristics indicating an exploit. Specifically, the shellcode embedded within the PDF contains a URL that is likely used to download a second-stage payload. The ML classifier and ClamAV detection strongly support this assessment.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 7
-
ClamAV: Pdf.Exploit.Agent-36962 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-36962
-
PDF exploit shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URLDecoded PDF exploit shellcode contains a hardcoded http(s) URL — stored as little-endian %uXXXX Unicode escapes, or hex-encoded in a document metadata field (/CreationDate, /Title) and referenced from the decoded script. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
-
Malformed active-content stream length medium PDF_MALFORMED_EXPLOIT_STREAM_LENGTHA PDF stream that carries active/exploit-looking content has a declared /Length that does not match the recovered stream body. Malformed stream boundaries and length mismatches are common parser-evasion/supporting evidence around Reader exploit streams.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
AcroForm button with action trigger low PDF_ACROFORM_BUTTONPDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://xvidstubes.me/pointless/zero_which_strike.php?nqh=32:1k:1f:1f:31&dhxi=1m:1n:1f:31:2w:1i:1g:1o:31:1i&izqcedf=1i&mzk=iodvqfei&xndyump=lrbj Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.1/In PDF document text
- http://www.xfa.org/schema/xfa-template/2.2/Referenced by PDF JavaScript
- http://ns.adobe.com/xdp/In PDF document text
- http://www.xfa.org/schema/xci/1.0/In PDF document text
- http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
Extracted artifacts 5
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0041.bin |
pdf-embedded-file | PDF EmbeddedFile object 41 at offset 0x2AC1 | 85 bytes |
SHA-256: c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb |
|||
embedded_file_obj0042.bin |
pdf-embedded-file | PDF EmbeddedFile object 42 at offset 0x2B73 | 1029 bytes |
SHA-256: dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91 |
|||
embedded_file_obj0043.bin |
pdf-embedded-file | PDF EmbeddedFile object 43 at offset 0x2D8C | 2028 bytes |
SHA-256: e4357621b8ed8bbfa5f444ed3283aa0fc49504d729f067aebca709347820f72e |
|||
embedded_file_obj0044.bin |
pdf-embedded-file | PDF EmbeddedFile object 44 at offset 0x322C | 144 bytes |
SHA-256: 3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169 |
|||
embedded_file_obj0045.bin |
pdf-embedded-file | PDF EmbeddedFile object 45 at offset 0x32D8 | 77 bytes |
SHA-256: 10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.