PDF malware analysis — malicious · e470d5da0bb6646e

MALICIOUS

PDF

28.5 KB

MD5: 43d621ad6249df3b464f45781c50e7a1 SHA-1: c31febb671c0bbee03ea77dc2fe5c368b362f217 SHA-256: e470d5da0bb6646ed800c767d49b2ae5f6db194ad6083ceacbc1421aef9c396d

68 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell

The critical ClamAV heuristic indicates this PDF contains JavaScript exploitation. The embedded URL, while seemingly benign, is associated with XFA forms, a known vector for PDF exploits. The obfuscated JavaScript in the document body, when deobfuscated, reveals code that likely attempts to download and execute a second-stage payload. The XFA form heuristic further supports the exploitation vector.

Heuristics 3

ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.