Malicious PDF — malware analysis report

Static analysis result for SHA-256 2400a59047d747b5…

MALICIOUS

PDF

16.7 KB First seen: 2021-01-11
MD5: 9f22a22972e302c67e1060bfe96a78ef SHA-1: b34b7fc52159f7e79cc1682ebf5b88e215d3d06d SHA-256: 2400a59047d747b574fdca53eb703c25cac1acf624acfe2f77b292bcd7f2d163
120 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0266

Heuristics 2

  • CoolType Type 1 Multiple-Master font overflow — CVE-2010-1797 (jailbreakme) critical CVE likely CVE_2010_1797
    PDF embeds a Type 1 (PostScript) font that carries Multiple Master Blend keys (BlendDesignPositions/BlendAxisTypes/BlendDesignMap) together with an over-long clear-text overflow filler (a giant repeated-token array, a 1 KB+ contiguous junk token, or a 'blatantly invalid' self-label). Multiple Master is a deprecated Type 1 sub-format whose Blend handling drives a stack buffer overflow in the FreeType / Adobe CoolType font parser — the static shape of the 2010 'jailbreakme' PDF font 0-day (CVE-2010-1797), the /FontFile (Type 1) counterpart to the CVE-2010-2883 SING exploit. The malicious bytes live inside a FlateDecoded /FontFile, so JS, heap-spray and raw-byte rules never see them; rendering one glyph in the font forces the vulnerable parse.
  • ClamAV: Pdf.Dropper.Agent-7387497-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7387497-0

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off000003eb.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3EB 414841 bytes
SHA-256: 7a4168df0cc6f2183ede540d8ba17ee1a33a66b81df947a769279f0a0e06ce50

Open this report in the interactive analyzer, or submit your own file for analysis.