PDF malware analysis — malicious · bdfe32403e3f95a7

MALICIOUS

PDF

79.4 KB

MD5: 5e8b3b1b0c7c939da41a9564846970ef SHA-1: 1d2297a9314e70af83d63b632a0d9c2117bae6d1 SHA-256: bdfe32403e3f95a7fb0e18ef0d6c8ba1316f58a2c348fbd54e3c965b07064da3

88 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic 'Pdf.Exploit.Agent-6136306-0' and the medium heuristic 'PDF_EMBEDDED_SCRIPT_PAYLOAD' indicate the PDF contains malicious embedded content. The presence of XFA forms, often targeted by exploits, further supports this. The embedded script payload is likely responsible for executing the exploit, which in turn probably downloads and executes a second-stage payload. The embedded URLs, while not directly malicious, are associated with the PDF structure.

Heuristics 4

ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD

PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xfa-template/2.5/
- http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_pdf_script_0000023c.bin` `3c68383728e6923bca8c36a383ba532c3819e0fa337df72ec980c39c06db4008`	pdf-embedded-script	PDF raw stream script payload at offset 0x23C	80622 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.