PDF malware analysis — malicious · c626d78d5fd1a392

MALICIOUS

PDF

588.6 KB Created: 2010-11-29 10:29:36 Authoring application: FPDF 1.6

MD5: 4e6b17825e645732a1cf6394844a5b47 SHA-1: 5de10eab75efebd1b902babc84e83e2036cf37a7 SHA-256: c626d78d5fd1a392db87b3ae9b1cb4f62992812bd63583cf630a9085074efd55

104 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 JavaScript/JScript T1204.002 Malicious File

The PDF file contains embedded JavaScript and utilizes ASCIIHexDecode filters, which are indicators of exploit activity. ClamAV detection of 'Js.Exploit.Shellcode-18' strongly suggests malicious JavaScript execution. The XFA form structure further supports the likelihood of exploitability. The primary intent appears to be the execution of malicious JavaScript, likely to download and run a secondary payload.

Heuristics 6

ClamAV: Js.Exploit.Shellcode-18 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.Shellcode-18
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Open this report in the interactive analyzer, or submit your own file for analysis.