Malicious PDF — malware analysis report

Static analysis result for SHA-256 48e99b7485215308…

MALICIOUS

PDF

2.5 KB
MD5: 2e6fc07b90f360be07c05ae143619ddb SHA-1: 629b33cdaa6dec0ddcb74f867beea43e1d272c80 SHA-256: 48e99b7485215308ef0bab9357dbb21e0b9356146dd1769e0ae7726b1ca0e445
76 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is a PDF document that exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms and LibTIFF image parsing. This exploit allows for arbitrary code execution. The embedded artifact is likely the payload for this exploit.

Heuristics 3

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
2747917e4bd688b95ed03dbe806575e484d3a2f012557d9366bf4046f469321f		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x51 13581 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.