Malicious PDF — malware analysis report

Static analysis result for SHA-256 569985e873fde832…

MALICIOUS

PDF

57.4 KB
MD5: 0405e24f22e32870908dcf1a71088b07 SHA-1: 217e046d6f23140609e747c7e2fc2902dd95b8d3 SHA-256: 569985e873fde8326095464a7f4029413f6236575e4fb1e2ff1bdadd30a06af9
78 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The PDF file contains an embedded XFA form with a critical vulnerability identified as CVE-2010-0188, which targets Adobe Reader. This exploit is designed to execute arbitrary code, indicating the document's primary purpose is to compromise the user's system upon opening. No specific malware family could be identified, but the exploit vector is clear.

Heuristics 4

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
b8a4708c483c80e4c543a799a33a4b72ae1952071476cceec324f0595305fa6d		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x51 13442 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.