PDF malware analysis — malicious · 41b7da211792d026

MALICIOUS

PDF

24.2 KB

MD5: f1167fc59b45e6d83bdc4c2ccab4f677 SHA-1: aee7e8f57a8e5c69a9d44238bd00635b2b78c1aa SHA-256: 41b7da211792d0264295d1be392fca97d2b9642ede3a217f6ba4fe292bebf758

130 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment T1204 User Execution

The sample is a PDF file that leverages the CVE-2010-0188 exploit targeting Adobe Reader's LibTIFF component. This exploit is known to be used for delivering malicious payloads. The presence of XFA form elements further supports the exploitation vector. The embedded URL, while seemingly benign, is often part of the exploit chain or used for further stages.

Heuristics 5

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Pdf.Exploit.Agent-36821 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36821
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.