Malicious PDF — malware analysis report

Static analysis result for SHA-256 f32b31bf93abb9db…

MALICIOUS

PDF

43.2 KB
MD5: 495a92bb0a12eb76d448c356111fb534 SHA-1: f8dca4c7952bc20080312d4b5492e4d522c8926d SHA-256: f32b31bf93abb9db56008e557eb991b6fb0e5047b90e9b431b6a6f9c28cda94f
198 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution T1059 Command and Scripting Interpreter

The PDF file contains embedded XFA forms with risky executable scripts, as indicated by multiple high and critical heuristic firings. ClamAV detected this as Pdf.Exploit.Agent-36836, suggesting it's a known exploit. The embedded script payload is likely responsible for the malicious behavior, potentially leading to the execution of further malicious code or exploitation of a vulnerability within the PDF reader.

Heuristics 8

  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • ClamAV: Pdf.Exploit.Agent-36836 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36836
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
04462f810d6eacdacecc9d0a5f3f81bebc722af4415e04da19b520338f642b51		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xD7 67 bytes
embedded_file_obj0009.bin
e2225cee13ca18c4f3cb47dcc1c3e92615b9c9d0574a4971cea51bf3ab93acb6		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x162 676 bytes
embedded_file_obj0010.bin
8f862640c64598de2a20541f8fcbf4cb3681fe9445ef5ef6c54dfb734073a829		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x451 127 bytes
embedded_file_obj0011.bin
dd87f7730a5b0b4e79b481f0a20d4c4dfb1d8fb7092f353f49ed4289931941af		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x51B 374 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_file_obj0012.bin
6dfc2cfc739bf5cd5514e048143c782a1af7b4c86ed10bd88203471efa9b3fe7		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x6DC 389 bytes
embedded_file_obj0014.bin
a177f1256d7840f325182bd8772196745eac9652d137f543d0eea7674495c098		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x8AE 41204 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36836
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
embedded_file_obj0015.bin
51d6d76eddb1746e412f89f4d1c1b0d620c60fb4a5641c018e93871be63968a9		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xA9EC 147 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.