PDF malware analysis — malicious · cf04fd1899104806

MALICIOUS

PDF

7.0 KB

MD5: 8b4e6d125c7345b53a74c650f878d29b SHA-1: f86334bc5f0d65f6010bb35fe61e39b1dfa1c182 SHA-256: cf04fd18991048063a5c8aa52ea2d5e14c9665f434cc629cf370ab3ede6f19e3

76 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: PowerShell T1566.002 Phishing: Spearphishing Attachment

The PDF sample contains multiple heuristic firings indicating malicious intent, including an OpenAction trigger, XFA form, and ASCIIHexDecode filter with exploit indicators. These suggest the document is designed to exploit a PDF vulnerability. The presence of an AcroForm button with an action trigger further supports the likelihood of code execution upon opening. No scripts were extracted, but the combination of PDF-specific exploit indicators points towards a downloader or dropper functionality.

Heuristics 4

OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction that launches, submits, or opens an external target
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
AcroForm button with action trigger low PDF_ACROFORM_BUTTON

PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Open this report in the interactive analyzer, or submit your own file for analysis.