PDF malware analysis — malicious · 959493305f427768

MALICIOUS

PDF

31.8 KB

MD5: 94f11607a3c6f56eff3cbe00a5fee02d SHA-1: d9d6e2c6b6e0537abcb1bca32db3e94bc75d1c71 SHA-256: 959493305f4277683f0b0239b83e1207ce51a61663860bb42a32946793124b68

70 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The PDF file was identified as malicious by ClamAV with the signature Js.Exploit.HTML-30, indicating an embedded JavaScript exploit. The presence of an XFA form further supports the exploit vector. The embedded URL, while seemingly benign, is part of the exploit structure. The JavaScript code appears to be obfuscated, making a precise determination of its payload difficult, but it is likely designed to download and execute a second-stage payload.

Heuristics 4

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.