Malicious PDF — malware analysis report

Static analysis result for SHA-256 d4d8e3e691610c6a…

MALICIOUS

PDF

93.5 KB
MD5: a33e2672d51613c74701b1f6845339ca SHA-1: 1d5105e0e61fe9d72d6a41d0755fa897b2c56f6e SHA-256: d4d8e3e691610c6acaae2b8fec47e10a66839a2be6c455f4a3ec8125e464ae9c
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious PDF

The PDF utilizes XFA forms and contains an embedded script payload, as indicated by multiple high-severity heuristics and ClamAV detections. The ML classifier strongly flags this PDF as malicious. The embedded script is likely responsible for executing the exploit, leading to the delivery of a secondary malicious artifact. The URLs present are related to XFA schemas and Adobe, but their reputation is unknown or benign, suggesting they are not directly involved in the malicious payload delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-6136306-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-6136306-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_00000246.bin
f022ed8c47ce73daacccd7a42c2de1075b13619bfaa45b5df640ac6e183acd62		 pdf-embedded-script PDF raw stream script payload at offset 0x246 94992 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36769
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.