Malicious PDF — malware analysis report

Static analysis result for SHA-256 00543ac92b777c37…

MALICIOUS

PDF

99.3 KB
MD5: 4405e1c891548897940233d5ac621d4b SHA-1: 69e48d1caf5474ffcd7a24ca5f87b3b857310e4e SHA-256: 00543ac92b777c37f988fefdb7d11d6ac4df27dc612dee70644e4b7f3b798f28
128 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1204.002 Malicious Link: Clickjacking T1059 Command and Scripting Interpreter T1059.007 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded content and triggers a critical vulnerability (CVE-2010-0188) related to Adobe Reader's XFA form processing. This exploit likely leads to the execution of a malicious payload, as indicated by the ML classifier and the embedded script payload heuristic. The embedded URLs are not directly indicative of malicious activity but are part of the XFA structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
ad9c1c422082ba489756a672f87680fbf17c7f5c0e5be4195a0b55a03ef8096a		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 100986 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.