Malicious PDF — malware analysis report

Static analysis result for SHA-256 163bbb7cd3f84a15…

MALICIOUS

PDF

249.6 KB Created: ”¶ïB¬½þIóH}´;ghH‰ÿƒ¬y¦ùà-줇°g“¬šC~àÆðÀÈR+ Authoring application: }ã^Ý¿g4l–QZ½‹ðµv´™æ¯+©x÷iÁ.,\ÌßÌiHà Ö:L (via KÂíªè;ÎañÚÓ´†ef ãþ8/Ê]˜-ґ)èÀ÷håßêÈa)
MD5: 3ba7fc002d19e6a9d8f21e6567604aa0 SHA-1: 7bc990c550ecd37e662f63345b9a8505dab1d46b SHA-256: 163bbb7cd3f84a158d6c6440047a2266ef69d7dc61b751f749fb6597f4d35b52
548 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file is heavily laden with exploit indicators targeting multiple Adobe Reader vulnerabilities, including CVE-2010-2883, CVE-2010-1297, and CVE-2011-2462. The presence of embedded JavaScript, including obfuscated and deobfuscated streams, strongly suggests that the primary function is to download and execute a secondary payload. ClamAV detection as 'Pdf.Dropper.Agent-1507030' further supports its role as a dropper.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9921

Heuristics 16

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA
    PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
  • Adobe Reader U3D/RichMedia parser exploit critical CVE likely CVE_2011_2462
    PDF combines U3D 3D content with RichMedia/Flash activation and JavaScript/action surfaces. This is the U3D RichMedia exploit document shape associated with CVE-2011-2462.
  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Dropper.Agent-1507030 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-1507030
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0010.bin
ac8933124b39f5c050ce0a884fd82792c9a25ee3820f042bdb402cd88ccc7009		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x17D3 163 bytes
embedded_file_obj0011.bin
03b5e1c7293c21db340143355e13bdc38f1ffd21437ddf113527315dfc8a0bad		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x18C5 1499 bytes
embedded_file_obj0012.bin
3557813d348bb7ec8cb90ab9e73cc90edd8d3c3d3efac1a965300386c4368128		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x1B97 12611 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
embedded_file_obj0013.bin
720c47f19e6a058099295d18a16b7149cc73fe497eb78821ea810f3192228dc4		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x2B2B 150 bytes
embedded_file_obj0014.bin
7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x2BFC 3023 bytes
embedded_file_obj0015.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x2F8D 200 bytes
embedded_file_obj0016.bin
89f0afac5b52516dbb3d5e6f2ca3e54a5b1b26b856f962804219ad47fc4c7c64		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x3081 835 bytes
embedded_file_obj0017.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x325A 56 bytes
8.swf
672e4c5bd34252ddf166860c9875ca782cd8bf35579622ce76be025c6612b25c		 pdf-embedded-file PDF EmbeddedFile object 70 at offset 0xB8EC 2557 bytes
javascript_obj0043_000.js
1e85fd92d55c20bc8425a24ffd4f06f374237830ce501c0dc86adea626428f75		 pdf-javascript-stream PDF /JS object 43 at offset 0x434D 20353 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_000.js
87888376325333dc7d83e9fb9edee5ca0669c36fe48e9b1a1e537d04fa2f06b6		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 43 at offset 0x434D 19893 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
e8b2819948b71355fddc693787cb9aa5ab7094c4043184e6b7a106b220a99e6c		 deobfuscated-js generic stage recovery marker-MM-to-%u from JavaScript object 43 at offset 0x434D 5922 bytes
generic_stage_recovery_002.js
ade66d17efe6aebe9ad0614f94afe5c4c2b39359af2f6a35c62b43293fe9758d		 deobfuscated-js generic stage recovery marker-MM-to-%u from decompressed stream at 0x1B97 at offset 0x1B97 8268 bytes
font_00_sfnt_off0000658d.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x658D 7965 bytes
font_01_sfnt_off0000840d.bin
d1a2415a6549c487a6ae8ce85bcac0bd427180a803fd8bd7fc41e66b32dce03e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x840D 45760 bytes
u3d_00_off000060a4.bin
db47f9e6c2fa22cca9aaaaba842bc1035f54c0acd3737dbd64b69dc1671da5eb		 pdf-3d-stream PDF U3D 3D stream at offset 0x60A4 1268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.