Malicious PDF — malware analysis report

Static analysis result for SHA-256 9beebcab2656dbd5…

MALICIOUS

PDF

79.4 KB
MD5: 485a65693549dba5f2cfa7b68b8b1309 SHA-1: aa8ff671101e55573b873316cbcbc24011e87bb2 SHA-256: 9beebcab2656dbd5c02ff55e33aece92b3de75960e7d1a03251a457cc113189c
148 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF file utilizes XFA forms, a known vector for embedding malicious content. Static analysis detected an embedded script payload within a PDF stream, which ClamAV identified as 'Pdf.Exploit.Agent-6136306-0'. Further analysis of an extracted artifact revealed a JavaScript exploit ('Js.Exploit.HTML-29'). The embedded JavaScript is likely responsible for executing the exploit, leading to the malicious verdict. The URLs found are related to XFA schema but are not directly indicative of the exploit's target.

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000023c.bin
b316a6baa858700d0bd29cd81d8582ad121e472e41a4adec773ebd128edc01e6		 pdf-embedded-script PDF raw stream script payload at offset 0x23C 80633 bytes
Detection
ClamAV: Js.Exploit.HTML-29
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.