Malicious PDF — malware analysis report

Static analysis result for SHA-256 4133492a502a938a…

MALICIOUS

PDF

1.01 MB
MD5: fed4252bb19e578b9443c542ab5a6150 SHA-1: 58e68565017565977e1e1abab4fff01b1d55b891 SHA-256: 4133492a502a938a2f18998761f6a858171f06921f02450f09021e29584eeb86
90 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.001 PowerShell T1059.003 Windows Command Shell

The PDF sample contains multiple high-severity heuristic firings indicating exploit preparation and the presence of a hidden external HTML iframe. Specifically, the PDF_CCITT_CVE_2010_0188_RELATED heuristic suggests an exploit targeting a known vulnerability. The PDF_HIDDEN_HTML_IFRAME indicates an attempt to load external content. The presence of XFA forms also points to potential exploitability. The single unknown reputation URL, http://www.ereading.cz/mamu.htm, is the only potential indicator of a malicious destination.

Heuristics 5

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • PDF contains hidden external HTML iframe high PDF_HIDDEN_HTML_IFRAME
    PDF bytes contain a hidden zero-size HTML iframe pointing to an external HTTP(S) URL. This is a strong malicious dropper/redirect indicator and is not expected in ordinary PDF content.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ereading.cz/mamu.htm
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/xap/1.0/sType/ManifestItem#
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xmp/InDesign/private
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/swf/1.0/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_013_off00027456.bin
d75165725c81f895aab96e2c7132c3ee7918fce6392893fcdfbde894464a0c3b		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x27456 5617 bytes
stream_029_off00061d01.bin
b8e2518b116c26bab0e9f8c1672daf405dedad561157502b657e9005be2029aa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x61D01 367087 bytes
font_00_cff_off000a3ccb.bin
8f5033378ef83816e0fbc4e691928cf49b9f02860add589358635569cf1d10b6		 pdf-font-stream PDF embedded font (cff) at offset 0xA3CCB 4393 bytes
font_01_cff_off000a4b65.bin
6794dc43eca5bc88848460bcf5a2c3fc9f67c9aa04d37d238bdf29b83771fc09		 pdf-font-stream PDF embedded font (cff) at offset 0xA4B65 2236 bytes
font_02_cff_off000a56b5.bin
59e4f5cd86836c74fb4462e21aab4525003f5a605f33647dc85e27c3a14e8d7e		 pdf-font-stream PDF embedded font (cff) at offset 0xA56B5 2444 bytes
font_03_cff_off000a5f81.bin
58ba91dce58530755b956e21e1b5eb3e63e3a6f3a14fa9d2c6a767b18ace19a6		 pdf-font-stream PDF embedded font (cff) at offset 0xA5F81 3573 bytes
font_04_cff_off000a69ba.bin
60e2c62b3fb1ea5359cab096f535835cd7aef9ba276f5c8d02bd134e00e4d36d		 pdf-font-stream PDF embedded font (cff) at offset 0xA69BA 1330 bytes
font_05_sfnt_off000a6fc6.bin
1626e6329f65d0d35cdf751ec668ac4b8800d726707d01e7810bb8297d789dee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6FC6 94351 bytes
font_06_cff_off000b7a9c.bin
9696970cc45fdf34e91cef8f885fb7d0e079092ce51f8cd586f05524925d4209		 pdf-font-stream PDF embedded font (cff) at offset 0xB7A9C 12148 bytes
font_07_cff_off000ba486.bin
d2a430cc4f0e17249079a7982a4eee1bf6163d45e752e050ce90028bf1351f09		 pdf-font-stream PDF embedded font (cff) at offset 0xBA486 19116 bytes
font_08_cff_off000be365.bin
d20704888b078cf90084236dae978d7fd17bd706a9e7568a9b70ffcf287769d2		 pdf-font-stream PDF embedded font (cff) at offset 0xBE365 19529 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.41, consistent with packed or encrypted content.
font_09_cff_off000c3206.bin
5475b7586f60a335b8fe07fa87f4cd7b625a5a56990a0b4a7017fce072130582		 pdf-font-stream PDF embedded font (cff) at offset 0xC3206 12049 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.