Malicious PDF — malware analysis report

Static analysis result for SHA-256 e24dca3b6f4b9ba9…

MALICIOUS

PDF

31.7 KB
MD5: c940d317912bf9af8ddf3cf81b912178 SHA-1: 15c3449ce214572f552e28e73db2a28be8dd6488 SHA-256: e24dca3b6f4b9ba9dcc4f868a8776a89e9a7b46aa089136baadc3a1944bc3acb
98 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF was flagged by ClamAV as Js.Exploit.HTML-30 and a machine learning classifier. It contains an embedded URL and utilizes XFA forms, which are known vectors for JavaScript execution. The JavaScript appears to be obfuscated but likely aims to download and execute a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.