Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf321b3face7b094…

MALICIOUS

PDF

8.0 KB
MD5: 329e0e4d973dc1cb3377329257716d85 SHA-1: 9e9439b0e6473febffdb9962c6df61913c82b07e SHA-256: cf321b3face7b0941c1f4ce2b9e4562c7c4859f7d9a0d118b5c7934459512247
106 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File

The file is identified as malicious by ClamAV and an ML classifier, indicating it's likely an exploit delivery mechanism. The presence of embedded files and XFA forms are common techniques for PDF-based attacks. While no specific script was extracted, the heuristics strongly suggest the PDF contains an exploit targeting vulnerabilities, likely leading to the download and execution of a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 4

  • ClamAV: Pdf.Exploit.Agent-36830 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36830
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Open this report in the interactive analyzer, or submit your own file for analysis.