Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c98762244d54a6b…

MALICIOUS

PDF

3.3 KB Created: 2005-09-29 09:27:34 UTC Authoring application: Adobe PDF Library 8.0
MD5: e8c4403507621edbf998aba949875a31 SHA-1: d01d7c49f73c96a4d7c92c789d50597d12870ea4 SHA-256: 1c98762244d54a6bbf6647a1b656b896771be1af0b75ef411200f34b2996e1c1
100 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1566 Phishing T1566.001 Spearphishing Attachment T1059.001 PowerShell

This PDF document exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms and TIFF image parsing. The critical heuristic firing indicates that the file contains an inline XFA image payload designed to exploit this specific vulnerability. While no JavaScript or VBA scripts were directly extracted, the presence of embedded files and JavaScript actions suggests a multi-stage attack. The exploit likely leads to the execution of a second-stage payload, though its nature cannot be determined from the provided evidence.

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0004.bin
4fd92980f482ae49b40757401a202b64d40e8fa5f1384fca14f27015636fdc98		 pdf-embedded-file PDF EmbeddedFile object 4 at offset 0x1C6 35879 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.