PDF malware analysis — malicious · e41a894bb89bd7d1

MALICIOUS

PDF

31.9 KB

MD5: 44fa47e622f51a527a9b4490d23c69ca SHA-1: 24d43dc702c49930a81f2e8747640a00da2cd839 SHA-256: e41a894bb89bd7d18e56b6f71a126d68ce50a9456ee9eb1ee983cb4d90cfa20f

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The critical ClamAV heuristic indicates detection as Js.Exploit.HTML-30, suggesting JavaScript-based exploitation. The PDF_XFA heuristic confirms the presence of XFA forms, a common vector for such exploits. The embedded URL, while seemingly benign, is part of the exploit structure. The document body contains obfuscated JavaScript code that attempts to execute functions and manipulate objects, consistent with a payload delivery mechanism. The script's intent is to leverage the XFA form to execute embedded JavaScript, which in turn likely downloads and executes a secondary payload.

Heuristics 3

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.