PDF malware analysis — malicious · 1a3d754282c680f6

MALICIOUS

PDF

24.1 KB

MD5: 25de848a6d6e651f94ff281a1b0996a8 SHA-1: 997699bf947b12dc25770b8ed38080e7fcda82e5 SHA-256: 1a3d754282c680f6875ab174b8123a480e596d3e2cf2f1661eccfbcb9b2a6fd5

128 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1059.001 Command and Scripting Interpreter: PowerShell T1059.007 Command and Scripting Interpreter: JavaScript

The PDF file contains an XFA form and exploits CVE-2010-0188, a known vulnerability in Adobe Reader related to LibTIFF processing within XFA forms. ClamAV also detected it as Js.Exploit.HTML-30, indicating embedded JavaScript exploitation. The embedded URL is likely related to the XFA template but is not directly malicious. The primary attack vector is the exploitation of the Adobe Reader vulnerability to execute malicious JavaScript.

Heuristics 4

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.