Malicious PDF / .TXT — malware analysis report

Static analysis result for SHA-256 012f30eebb965976…

MALICIOUS

PDF / .TXT

3.4 KB
MD5: 63df25105e6ee873daaa19fe08b50036 SHA-1: 8e6188264e5f363d5e2b0206840041c8e8edf679 SHA-256: 012f30eebb9659769402d1cb56474adbc8acb849c83bf62df6d67844402ba6d2
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link T1204.002 Malicious Link: Clickjacking

The sample is a PDF file that utilizes XFA forms and is flagged for the CVE-2010-0188 vulnerability, indicating it's designed to exploit Adobe Reader. The ML classifier strongly supports its malicious nature. The embedded URLs are related to XFA schemas and Adobe, but the primary threat stems from the exploit itself rather than a direct user-facing lure in the document body.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000001e9.bin
c712203c46fe1ab221a6dfcdf0d3a8ba97bc9f22451cdc305c8d3a73064695c6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1E9 13469 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.