Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a24c3da6a6b30d0…

MALICIOUS

PDF

43.2 KB
MD5: cd72aa45ccf5607d340f5f167e1c7983 SHA-1: 1e9a022d22e84ec29ac113d1e452fe4107308473 SHA-256: 3a24c3da6a6b30d05c00ac1f9ce96d4dee1700f4f56ab14fcf2002c39117ffb6
226 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a PDF file that exploits CVE-2010-2883, a known vulnerability in Adobe Reader. It contains embedded JavaScript and a PE executable payload. The primary attack vector appears to be the exploitation of the Adobe Reader vulnerability to drop and execute the embedded payload.

Heuristics 8

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ClamAV: Pdf.Exploit.Agent-30132 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-30132
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
230a2278b7c27f64cd44c0b7f14c6ac98d7e5a9db81e664e4c3f1b353e570296		 pdf-javascript-stream PDF /JS object 29 at offset 0x89A1 8243 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x1B83 1242 bytes
javascript_obj0039_002.js
d8bbcc5984e6bec8996e18881fad0486ff520c9b9f03ee0fb9694ddfc412340d		 pdf-javascript-stream PDF /JS object 39 at offset 0x2167 1572 bytes
stream_003_off00000b11.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB11 434 bytes
embedded_pdf_000028e1.exe
d52c59d72234b3ef5c125798f49f3686f7e92ff808c6f7f145488c2ae5477241		 embedded-pe PDF raw stream PE payload at offset 0x28E1 24750 bytes
font_00_sfnt_off00001152.bin
9d902019b5b13f19b5dd2d34db9324f8359c9155b014728a924fac6549b9e6e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1152 7965 bytes
font_01_sfnt_off00001904.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1904 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.