Malicious PDF — malware analysis report

Static analysis result for SHA-256 cab098221bb76fbb…

MALICIOUS

PDF

97.1 KB
MD5: 6b8079c2f08f622b550a3a70cf585a27 SHA-1: 98d45c0f12dd85abcf4a3f2ee4422972fd863898 SHA-256: cab098221bb76fbb249e5cba207d254452b888ef3b4d6908231bd1a6506d6a3e
88 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious File

The PDF file contains an embedded script payload and triggers heuristics related to XFA forms and embedded scripts, indicating an exploit attempt. ClamAV detection confirms its malicious nature. The embedded script is likely responsible for downloading and executing a secondary payload, as suggested by the 'Pdf.Exploit.Agent-6136306-0' signature.

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000026c.bin
8aff4559384dfed3d04c4000af7f5bf5acdde1e40077959e8e39ed7e1f2871f7		 pdf-embedded-script PDF raw stream script payload at offset 0x26C 98659 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.