PDF malware analysis — malicious · 9367d6a49b176467

MALICIOUS

PDF

5.9 KB

MD5: 4c39cbe8f4882084fbbcaf7dd8401497 SHA-1: 968bb0b4981631d59a5d2fe12944b30af5c758ca SHA-256: 9367d6a49b176467d95392818ace70a28152bc6d20e5dacd59ddddba48dd96df

76 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious File

The PDF file contains multiple heuristic firings indicating malicious intent, including PDF_OPENACTION and PDF_FILTER_HEX with exploit indicators. These suggest the file is designed to trigger an exploit when opened, likely leading to arbitrary code execution. The presence of XFA forms and AcroForm buttons with action triggers further supports this. No specific family could be identified.

Heuristics 4

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.