Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c8f17b2130addeb…

MALICIOUS

PDF

365.7 KB Created: ò\%Ôò*5¡¤V6ÝÓïÚ\'ç$Ã& Authoring application: Ï ä Œ@ˆO’Þƒ³ÎT¶Þãmøð;aµùTØÉÄU=¼›_ §&Wˆï,A-«9þRoq (via «z‡£o%ÕXånƒŽ½ƒL&î%Ý1ô#f”w«÷ˋ)
MD5: 3abfe5fd78ffddebf23bd46edf4e4eb7 SHA-1: 432e43053a65d8de9011198aaa8d9fbe679cfba6 SHA-256: 0c8f17b2130addebcb2ca75bd7a982e37ddcc49d49e79fe60e3fda767f2ec972
280 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file is malicious and exploits CVE-2010-2883, a known vulnerability in Adobe Reader's CoolType font parsing. The embedded JavaScript, detected as Js.Exploit.Shellcode-18, is designed to download and execute a second-stage payload. The ML classifier and ClamAV also flagged this file as malicious, reinforcing the critical nature of the exploit.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7884

Heuristics 10

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • ClamAV: Js.Exploit.Shellcode-18 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.Shellcode-18
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bitstream.com
    • http://www.iec.ch

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0389_000.js
31f2f5d4541a1159f791089da865bf717613ec68ba77d6176fad30b29739f96a		 pdf-javascript-stream PDF /JS object 389 at offset 0xCD8B 6156 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
stream_042_off00020844.bin
55e148c95ca71acc5a4dece44ccfcd3a3c7f785ce645e5f358d766366923da53		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x20844 29856 bytes
icc_00_off0000d678.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0xD678 3144 bytes
font_00_sfnt_off0000f865.bin
5bf9f36327bf2df5ebc3171b1d1d8d4fa389ff6ced49fcd4036db773a85eedbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF865 65932 bytes
font_01_sfnt_off0002e632.bin
acb6fad1cdb7c1b96547975eb155d19368d7bbd0e97521ccdf25d67cdeebf721		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E632 20000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.