MALICIOUS
286
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
This PDF file exploits CVE-2010-2883 (Adobe Reader CoolType SING font exploit) and utilizes embedded JavaScript, including a large recovered stage, to achieve code execution. The embedded JavaScript is designed to download and execute a second-stage payload, as indicated by the PDF_GENERIC_STAGE_RECOVERY heuristic and the presence of embedded SWF and JavaScript files. The use of XFA forms and JavaScript points towards a common PDF-based exploit delivery mechanism.
Machine Learning
- Nyx PDF Classifier malicious score 0.9972
Heuristics 11
-
Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEXHex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.1/
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
5.swf060fdfb9be9860ec5821883c5c4e3186f18e916cb89d856e901c00fd683b64ea |
pdf-embedded-file | PDF EmbeddedFile object 50 at offset 0x3C99 | 22882 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact entropy is 7.98, consistent with packed or encrypted content.
|
|||
javascript_obj0029_000.js7f5dffffd793ea24e05f176944d498d11e43abd5ab94e14a768b19bce7596a7b |
pdf-javascript-stream | PDF /JS object 29 at offset 0x29136 | 19428 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 3 long base64-like blob(s).
|
|||
javascript_obj0038_001.js2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe |
pdf-javascript-stream | PDF /JS object 38 at offset 0x1BAB | 1242 bytes |
javascript_obj0039_002.js6925014a3c2c6b64ae3000282d91544e3f9bbc49b7fdc6b0421ea04d61e8240a |
pdf-javascript-stream | PDF /JS object 39 at offset 0x2193 | 3698 bytes |
javascript_obj0056_003.js61ebdbb3516b854e81718f482f4c2d78a089e743973ea2b382797956212189e9 |
pdf-javascript-stream | PDF /JS object 56 at offset 0x3024 | 906 bytes |
stream_004_off00000b15.bin69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xB15 | 434 bytes |
generic_stage_recovery_000.jscf86fdfe60cff5d0cbf44f92f87552b5bde9ea44d70b0ccddf35f383fb719858 |
deobfuscated-js | generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x29136 | 25239 bytes |
generic_stage_recovery_001.js96a9cec0e00f93d36ea1d3665a31f598b944e48b0488fef51a3b38702704e199 |
deobfuscated-js | generic stage recovery marker-MM-to-%u from combined JavaScript objects at offset 0x29136 | 18856 bytes |
generic_stage_recovery_002.js8b3a366f9ef094af3f53d692330b76813badb8740ee5223f08ac496f86e76ea3 |
deobfuscated-js | generic stage recovery split-literal-normalize -> marker-MM-to-%u from combined JavaScript objects at offset 0x29136 | 25233 bytes |
generic_stage_recovery_003.js5eaabfdffb3381b8bf9ae2cd2eb5836c05ddac9e48619cc5aaaf301df3c6ac38 |
deobfuscated-js | generic stage recovery split-literal-normalize -> marker-MM-to-%u from combined JavaScript objects at offset 0x29136 | 18850 bytes |
font_00_sfnt_off0000117b.binfc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x117B | 7965 bytes |
font_01_sfnt_off0000192c.bin1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x192C | 7965 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.