PDF malware analysis — malicious · aadd871673317443

MALICIOUS

PDF

7.1 KB

MD5: 6b2b84fb51aab0d190e8fc4759d04f8b SHA-1: 5cf3ee04cca7ab8c0e0831dc2107d02abd816a44 SHA-256: aadd8716733174433c78e4566df64490e7535882037523a6e71e00546aa060a8

76 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious File

The PDF file contains multiple heuristic firings indicating malicious intent, including an OpenAction trigger and the use of ASCIIHexDecode filters with exploit indicators. These suggest the document is designed to execute arbitrary code when opened, likely leveraging a known PDF vulnerability. The presence of XFA forms and AcroForm buttons with actions further supports the exploitation of PDF features for malicious purposes.

Heuristics 4

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.