PDF malware analysis — malicious · 1a72a86da0954749

MALICIOUS

PDF

118.9 KB Created: 2010-04-06 16:47:07 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))

MD5: 015ce372e404d31d417317c163802d91 SHA-1: 3159a68a74ca03ab7631c2f5484cad0c973c4ea3 SHA-256: 1a72a86da0954749a748b63e132cc6d068cacb65d60c3ffaca0a064587e5b9f1

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The PDF file contains an embedded XFA form that exploits CVE-2010-0188, a vulnerability in Adobe Reader's LibTIFF component. This exploit allows for the execution of arbitrary code. A secondary embedded PDF was also detected with suspicious findings, indicating a potential multi-stage attack. No document body text was available for analysis, but the exploit itself is the primary indicator of malicious intent.

Heuristics 7

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `5a479ff2881cc991bf2f5e5dffd9080c2332683563d973d5bbbbddf0f58331ed`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x51	13430 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`icc_00_off00019dea.icc` `2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e`	pdf-icc-profile	PDF ICC profile at offset 0x19DEA	3144 bytes
`polyglot_child_pdf_off00018c3f.pdf` `9e8435e7a39b35b3b2e29bcfdd9d10de60477ea107e3e6cba8cf784c474c6240`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x18C3F	20333 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.