Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b26e76efcad4055…

MALICIOUS

PDF

84.5 KB
MD5: 9026125fc7e26093a787edb33a9ee8ec SHA-1: 3d6bde8374fda11251c7eda17e3bc3d73a0320fd SHA-256: 5b26e76efcad40551f7c0a21ca578a46e6ac16eca64d9e3269c378b03ded5b99
238 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript and exploits a known vulnerability (CVE-2010-2883) in Adobe Reader. The JavaScript code appears to be designed to download and execute a second-stage payload, as indicated by the 'generic recovered JavaScript exploit stage' heuristic and the large size of the extracted JavaScript streams. The presence of XFA form elements further supports the exploitation vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 9

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.1/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
9907a53979854670ec799ce7dd956d3015d1466c4385375111f23ffed518c757		 pdf-javascript-stream PDF /JS object 29 at offset 0x13E03 15084 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x1B82 1242 bytes
javascript_obj0039_002.js
d8bbcc5984e6bec8996e18881fad0486ff520c9b9f03ee0fb9694ddfc412340d		 pdf-javascript-stream PDF /JS object 39 at offset 0x214F 1572 bytes
stream_004_off00000b11.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB11 434 bytes
generic_stage_recovery_000.js
a00179b8ead1c5ace5b335fffb449cfc2df497eed89d8f77e3b5e922091c402f		 deobfuscated-js generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x13E03 17603 bytes
generic_stage_recovery_001.js
9563a3c500e87b52f13e2f8764bdf7567ffe7883a67edd7c7c0eb1130938d95d		 deobfuscated-js generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x13E03 10360 bytes
font_00_sfnt_off00001152.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1152 7965 bytes
font_01_sfnt_off00001903.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1903 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.