Malicious PDF — malware analysis report

Static analysis result for SHA-256 22450947990742ec…

MALICIOUS

PDF

4.2 KB
MD5: d7d5faa27d047b9b56f715dc0aaa58a4 SHA-1: ba05ce52010fc0daa2b8f852e06824de26b29b98 SHA-256: 22450947990742eca9f5967dd651a3495e79f522c9c502e532b83779efb2b08c
126 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059 Command and Scripting Interpreter

The PDF sample exploits the CVE-2010-0188 vulnerability in Adobe Reader, leveraging XFA forms and embedded scripts to achieve arbitrary code execution. The ML classifier strongly indicates malicious intent. No specific malware family was identified, but the exploit is the primary attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
0a06755e316048b8a51290bfe93878efff3a3c2ee2e59acc6c1615abe62d384d		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xEA 12920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.