Malicious PDF — malware analysis report

Static analysis result for SHA-256 02938cb005373dfe…

MALICIOUS

PDF

226.6 KB Created: Y‚¬.×Å튥îò;”a ¦97Î4(-ˌo¸¿þÓvõ\F­×VÕº9Æ[‚â2ã Authoring application: cIøuVÙJ½ÿ–- €(y]®:¤N"U®žœ|4Š™m8}ɵ·¾üGe…g (via LΩ¦õfgü±¨*^Èï÷‹qþ‡#_’~3¢¹™°UM{Ùñm"q*3‚Qa¼CV®y)
MD5: cb9ab22f3356a3b054a7e9282a69f71e SHA-1: e95fa5a2ddf7aa7ed2205d3b1ee47faaf65b7c2d SHA-256: 02938cb005373dfe13e6ef1593c49407c7673f76c3c9b64ee4e4ee265680889d
326 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains multiple critical heuristic firings indicating exploits for CVE-2010-2883 and CVE-2011-2462, along with embedded JavaScript. The JavaScript code, despite obfuscation, appears to be designed to execute further malicious actions, likely involving the download of additional payloads. The presence of XFA forms and encrypted content further suggests an attempt to hide malicious code.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 11

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0010.bin
ac8933124b39f5c050ce0a884fd82792c9a25ee3820f042bdb402cd88ccc7009		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x17C5 163 bytes
embedded_file_obj0011.bin
03b5e1c7293c21db340143355e13bdc38f1ffd21437ddf113527315dfc8a0bad		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x18B7 1499 bytes
embedded_file_obj0012.bin
3557813d348bb7ec8cb90ab9e73cc90edd8d3c3d3efac1a965300386c4368128		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x1B89 12611 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0013.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x2B1D 150 bytes
embedded_file_obj0014.bin
7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x2BEE 3023 bytes
embedded_file_obj0015.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x2F7F 200 bytes
embedded_file_obj0016.bin
89f0afac5b52516dbb3d5e6f2ca3e54a5b1b26b856f962804219ad47fc4c7c64		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x3073 835 bytes
embedded_file_obj0017.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x324C 56 bytes
javascript_obj0037_000.js
c62c23e02cc43c8fa25bafabb751ab0bdbc4777b4dca69b19b0b3a2dd9092f32		 pdf-javascript-stream PDF /JS object 37 at offset 0x3EEB 18711 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_000.js
14ebe056484fda87c7feba64c1c7c0e34ed2bb3abc167831fc70177c66ef14b0		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 37 at offset 0x3EEB 17977 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
90575c48f677be23205d85a7cc8e7e194d53af71d43930f528e3e95eb53d4ed1		 deobfuscated-js generic stage recovery marker-MM-to-%u from JavaScript object 37 at offset 0x3EEB 6697 bytes
generic_stage_recovery_002.js
ade66d17efe6aebe9ad0614f94afe5c4c2b39359af2f6a35c62b43293fe9758d		 deobfuscated-js generic stage recovery marker-MM-to-%u from decompressed stream at 0x1B89 at offset 0x1B89 8268 bytes
font_00_sfnt_off00005c48.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C48 7965 bytes
font_01_sfnt_off00005fa0.bin
d1a2415a6549c487a6ae8ce85bcac0bd427180a803fd8bd7fc41e66b32dce03e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FA0 45760 bytes
u3d_00_off00005774.bin
db47f9e6c2fa22cca9aaaaba842bc1035f54c0acd3737dbd64b69dc1671da5eb		 pdf-3d-stream PDF U3D 3D stream at offset 0x5774 1268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.