Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8519ad396625d1f…

MALICIOUS

PDF

42.4 KB
MD5: 03128bfb3b2158b5a6fd30b0aca10e53 SHA-1: cb8f1a9c61039ed4d6d456494b8c2e856dca063c SHA-256: f8519ad396625d1f6bb39c713312d141bc111f067af0aacbc33ca3d115a5b846
186 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious Attachment

The file is a PDF document flagged by multiple high-confidence heuristics, including ML classification and ClamAV detection (Pdf.Exploit.Agent-36830). It contains an embedded script payload and an embedded file, indicating it is designed to deliver and execute further malicious content. The ML classifier's output of 0.999995 strongly supports its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • ClamAV: Pdf.Exploit.Agent-36830 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36830
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
88ca72b4d798762572a5208025d38869836d711f45657dacc8023aaf2da268b5		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 42634 bytes
Detection
ClamAV: Pdf.Exploit.Agent-36830
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.