MALICIOUS
148
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1566.001 Spearphishing Attachment
The critical heuristic firing for CVE-2011-0611 indicates that this PDF exploits a Flash Player vulnerability. The embedded SWF file, identified as Tatsumaki.swf, likely contains the shellcode for this exploit. The presence of an embedded file and the exploit technique strongly suggest this document was delivered as a malicious attachment.
Machine Learning
- Nyx PDF Classifier malicious score 0.9997
Heuristics 5
-
Adobe Flash Player RichMedia exploit critical CVE likely CVE_2011_0611_FLASH_RICHMEDIAPDF combines RichMedia Flash activation with an embedded AS3 SWF loader (ByteArray/loadBytes) and shellcode heap-spray staging. This is the static exploit shape associated with CVE-2011-0611 Flash content delivered through Adobe Reader.
-
RichMedia (Flash) high PDF_RICHMEDIAPDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
Tatsumaki.swf1f35f3ee8c2acb99845e009cb0fea08275e031996132af652c8b924d3f510579 |
pdf-embedded-file | PDF EmbeddedFile object 18 at offset 0x3AF | 3263 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.