Malicious PDF — malware analysis report

Static analysis result for SHA-256 35b330c993521718…

MALICIOUS

PDF

261.9 KB
MD5: d69ceb116ea928e7702da26d8d025111 SHA-1: 16ef87e92158ef2dcec084cc685b64143aa40353 SHA-256: 35b330c9935217187d36b752ef558d36728198077f73837f9ab6b076ac5008ae
144 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The sample is a PDF file that triggers a critical heuristic for the Adobe Reader CoolType SING font exploit (CVE-2010-2883). It also contains embedded JavaScript, indicating an attempt to execute malicious code. The presence of obfuscated objects further suggests malicious intent. The document body is unreadable, but the exploit and script presence strongly indicate a malicious payload delivery.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3177

Heuristics 6

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0012_000.js
17a5a6b864a258118e29a5ec1d126d2b7e3007d009afa324fa814005c62d77df		 pdf-javascript-stream PDF /JS object 12 at offset 0x40B5B 6380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.