PDF malware analysis — malicious · c52fdb5e55750791

MALICIOUS

PDF

32.0 KB

MD5: 2fe8258aec852c88c4d669bdc54e2510 SHA-1: 571c6fe24efa124e257d8fbbc9cfd466a2930cea SHA-256: c52fdb5e55750791fb2082e2677710a5244295e0d94658cbbffa26162ce3aa3c

98 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for Js.Exploit.HTML-30, indicating it contains malicious JavaScript. The ML classifier also strongly indicated maliciousness. The embedded URL, while not directly executable, is associated with XFA forms, which are known to be exploited. The JavaScript, though obfuscated, is the primary mechanism for exploitation, likely leading to the download and execution of a second-stage payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.