PDF malware analysis — malicious · 8ba73b2205701071

MALICIOUS

PDF

100.8 KB

MD5: 53d5a142d0010c0500233a5027ccf9b9 SHA-1: 2fd56078697dde9a5f5f81aa17f9ddb8f4770843 SHA-256: 8ba73b2205701071328654cccc84acb5f6b72984d5a38a0e9320e406405b759a

88 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains an embedded script payload within an XFA form, as indicated by the 'PDF_XFA' and 'PDF_EMBEDDED_SCRIPT_PAYLOAD' heuristics. ClamAV detection 'Pdf.Exploit.Agent-6136306-0' confirms its malicious nature. The embedded script is likely responsible for executing the exploit, leading to the delivery of a secondary payload. The embedded URLs, while not directly malicious, are associated with the PDF structure.

Heuristics 4

ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xfa-template/2.5/
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000026c.bin` `0caea2b041a88db687423db47e58d9960d05c7c9fd05cfebc713268fb79e6998`	pdf-embedded-script	PDF raw stream script payload at offset 0x26C	102521 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.