Malicious PDF — malware analysis report

Static analysis result for SHA-256 eecff4e23efc4046…

MALICIOUS

PDF

28.1 KB
MD5: 57313868dae54582872c0bc167158182 SHA-1: 7b5ae4ec261054694b0b5fcdd998e4373ee9b864 SHA-256: eecff4e23efc4046a6edf65465c9826c337247831e3469095a27b86a597bcabe
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The sample is a PDF document identified as malicious by ClamAV with the signature Js.Exploit.HTML-30. It utilizes XFA forms, which are known to be vulnerable to various exploits. The embedded JavaScript, although partially obfuscated, likely attempts to leverage these vulnerabilities. The presence of an embedded URL further suggests a delivery mechanism for a secondary payload.

Heuristics 4

  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.