Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e1d0ad8753c6fda…

MALICIOUS

PDF

35.1 KB
MD5: 7be44174b0ae54b42b13c4428e627371 SHA-1: 75b5e6afb497ddce711bcf2dfbedd269bef453b1 SHA-256: 5e1d0ad8753c6fda907dff2ff8af01dde0e2189a500b94c77daba946cd3004d6
258 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The PDF file contains multiple indicators of malicious activity, including an embedded Windows executable payload and a critical heuristic firing for the CVE-2010-2883 Adobe Reader CoolType SING font exploit. The presence of JavaScript streams and XFA forms further suggests an attempt to exploit vulnerabilities for client execution. The embedded executable is the primary payload, likely delivered via spearphishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9829

Heuristics 9

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD
    PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://status.daum.net/error/error404.html
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.1/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
c56567982d44418ef081756434178f376e122ef8f16a32941d70a9c116fcad15		 pdf-javascript-stream PDF /JS object 29 at offset 0x6B1C 7608 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x1B83 1242 bytes
javascript_obj0039_002.js
d8bbcc5984e6bec8996e18881fad0486ff520c9b9f03ee0fb9694ddfc412340d		 pdf-javascript-stream PDF /JS object 39 at offset 0x2167 1572 bytes
stream_004_off00000b11.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB11 434 bytes
embedded_pdf_000028df.exe
e2c3bdf518904a49f62ca07b33dff2082555d7972e28e391d2458eb9591d94b1		 embedded-pe PDF raw stream PE payload at offset 0x28DF 16939 bytes
font_00_sfnt_off00001152.bin
9d902019b5b13f19b5dd2d34db9324f8359c9155b014728a924fac6549b9e6e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1152 7965 bytes
font_01_sfnt_off00001904.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1904 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.