Malicious PDF — malware analysis report

Static analysis result for SHA-256 914578be08a08dbf…

MALICIOUS

PDF

105.5 KB
MD5: 611fb94314299374142e8dea5089f2c0 SHA-1: 82bc49287ec7fca83c4628b9379ae9e743debe38 SHA-256: 914578be08a08dbfda3374a512baf3eb4044c50f7c8886860fcee0ea4da9e015
148 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059 Command and Scripting Interpreter

The PDF file contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. ClamAV detection as Pdf.Exploit.Agent-6136306-0 further confirms its malicious nature. The presence of XFA form elements suggests a potential exploit targeting Adobe's XML Forms Architecture. The embedded URLs, while not directly leading to malicious content in this analysis, are part of the document's structure and could be used for further exploitation or C2 communication.

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000238.bin
b2dbc290fab0a2ca21b138d6c88861d57217dfd250ffa89fa6eb7144f4dc9d4f		 pdf-embedded-script PDF decompressed stream script payload at offset 0x238 107982 bytes
Detection
ClamAV: Pdf.Exploit.Agent-6136306-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.