PDF malware analysis — malicious · 37114c715c0892f7

MALICIOUS

PDF

24.1 KB

MD5: 67a59fd7a813369b01fd3dc655e0f6eb SHA-1: 1fff3f2a7d6acf28d444083f3db900ef0fa36537 SHA-256: 37114c715c0892f7aeb82ea88c198a14a362a55d89c039fbe0c31ebc52257d39

128 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a PDF document that exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms and LibTIFF. This exploit allows for arbitrary code execution. The embedded URL appears to be related to XFA schema, which is consistent with the exploit.

Heuristics 4

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Pdf.Exploit.Agent-36821 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36821
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.