Malicious PDF — malware analysis report

Static analysis result for SHA-256 876fc5942eb21f54…

MALICIOUS

PDF

93.4 KB
MD5: 20cb60ff41102b6d543817afe4a863da SHA-1: 89853a6d4493b0d3155a0247c9d8e7a1557916ca SHA-256: 876fc5942eb21f54ce118b430ea7a4eb3f5cbb53d21c4f232e3fd1ec6e51ded7
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious Attachment T1059 Command and Scripting Interpreter

The PDF utilizes XFA forms and contains an embedded script payload, strongly indicating malicious intent. The ML classifier and ClamAV detections confirm this, flagging it as a known exploit. The embedded script is likely responsible for downloading and executing a second-stage payload, although its exact function is obscured by the PDF structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
0163c763b1c8008544ff5a61970f5286e3df4958bd4d7d33063646b67325c647		 pdf-embedded-script PDF raw stream script payload at offset 0x246 94924 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36769
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.