Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee8dcf7cdc2bc5c7…

MALICIOUS

PDF

8.0 KB
MD5: f897c39d40631d9d0cbe170aa62031df SHA-1: 793847c70793ac885cb879ef9d6d89ab7a306f65 SHA-256: ee8dcf7cdc2bc5c7232f547a5e7d735ffbc9087226a5ef89380815f9b8454126
126 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The PDF was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Exploit.Agent-36836' and an ML classifier indicating maliciousness. The presence of an embedded script payload and embedded files strongly suggests an exploit attempt. While the document body is obfuscated and no specific script content was provided, the overall structure and detections point to a malicious PDF designed to deliver a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9938

Heuristics 5

  • ClamAV: Pdf.Exploit.Agent-36836 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36836
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a2224c4023b216235b61c3fc4dd17bbfac1ab23a545687f51b97604cf654712		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xD7 46 bytes
embedded_file_obj0009.bin
8578eaff1b1e17bffe206ef2b9c96d4dd12bf0be88329bfa591dfe4b0f2f1052		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x14D 690 bytes
embedded_file_obj0010.bin
9b3e3137f794b4b7749fdedcd46db5dc4d1f380440711c5edf7fc00a7458da87		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x44A 125 bytes
embedded_file_obj0011.bin
ec38a6c5398af5a3407e01b43a3792d40a397e86d84b1508f1f90e54b2b64354		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x512 412 bytes
embedded_file_obj0012.bin
d2f06f3fc6900856fe613a64a561919c8454dcbe0fdf238fb8b43e07016955ea		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6F9 190 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.