Malicious PDF — malware analysis report

Static analysis result for SHA-256 9db317c6fb7253a2…

MALICIOUS

PDF

100.7 KB
MD5: 668ed89d3a0436ea493ab0392ceb3e0f SHA-1: 09722fa8cc988732bcf560c69abbee6592c3b1b0 SHA-256: 9db317c6fb7253a2b21ef1bfc4fc0019463703fc7d6b66a4665c5a36437051d4
88 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The file is a PDF document identified by ClamAV as Pdf.Exploit.Agent-6136306-0. It contains an embedded script payload, indicated by the PDF_EMBEDDED_SCRIPT_PAYLOAD heuristic. The XFA form heuristic suggests the exploit targets XFA forms within PDFs. The embedded script is likely responsible for executing the malicious payload, potentially leading to further compromise.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
79bd8b0890806d57491843e06ca17811171ae8468e1aecf23aa14b850c1fcd56		 pdf-embedded-script PDF raw stream script payload at offset 0x246 102374 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.