PDF malware analysis — malicious · 6e07d49e7352a338

MALICIOUS

PDF

44.8 KB

MD5: 767aff16340d92d6598d56e5b479e735 SHA-1: 09fc9b7539fd3979ad807ad0a2ed589e7f1eafa1 SHA-256: 6e07d49e7352a338758e6815bb0eea7b3db7ecfd346cbcfac14a776d938ec1dc

336 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2010-2883, a known Adobe Reader vulnerability. The JavaScript is designed to download and execute a second-stage payload from the URL http://halop.in/nte/koha.py/yH78ed06e8V03f01036002R23c7bb5110aT34579213Q00000300901801F0055010aJ12000601l0409327. This indicates a clear intent to compromise the user's system by leveraging an exploit and a remote download. The ClamAV detection of 'Js.Exploit.Shellcode-18' further supports this assessment.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 10

Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883

PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY

Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL

Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX

Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://halop.in/nte/koha.py/yH78ed06e8V03f01036002R23c7bb5110aT34579213Q00000300901801F0055010aJ12000601l0409327
- http://www.bitstream.com
- http://ns.adobe.com/xdp/
- http://www.xfa.org/schema/xci/2.6/
- http://www.xfa.org/schema/xfa-template/2.6/

Extracted artifacts 9

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0012_000.js` `5aa47edaf51cbe3c6ec123ccb470542d453d0846e9ffae2631c3a3bbfb9a9208`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA0BA	3772 bytes
`javascript_obj0012_001.js` `e194e75f9d252a0f694a1ca111893bbfe7e34c00c8e9401495cacd927479bdad`	pdf-javascript-stream	PDF /JS object 12 at offset 0xA100	4658 bytes
`generic_stage_recovery_000.js` `a16cf31bb1711225171d2617f1784119271f5422d7f32bb9b6ffc1113e4b1895`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 12 at offset 0xA0BA	3722 bytes
`generic_stage_recovery_001.js` `c2c2a45413afb03c1922ac92013ba6b094cb06412e4b73bef1f21445a255ead0`	deobfuscated-js	generic stage recovery split-literal-normalize from JavaScript object 12 at offset 0xA100	4608 bytes
`generic_stage_recovery_002.js` `ec79f4b12201341a789186a01e0a3837dccf92fb45ceb898a3fb7ac0c0eb3328`	deobfuscated-js	generic stage recovery split-literal-normalize from combined JavaScript objects at offset 0xA0BA	8331 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: unlikely
`generic_stage_recovery_003.js` `b6cdac0fcf11bd5d169d08a0edd1a3458dd8ab71dd8f644a17f50d5a02198fb0`	deobfuscated-js	generic stage recovery split-literal-normalize from decompressed stream at 0x0 at offset 0x0	45822 bytes
`generic_stage_recovery_004.js` `4d12b24abd5586b1b57377c4780ad28af77efea5c923e4d135bbbc7be30685ef`	deobfuscated-js	generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0	45870 bytes
`generic_stage_recovery_005.js` `3648c05f457a466aa742baa77223ca7f9a82119f95ac5efcd8b185f2261e7aa3`	deobfuscated-js	generic stage recovery split-literal-normalize -> percent-decode from decompressed stream at 0x0 at offset 0x0	45820 bytes
`font_00_sfnt_off0000033c.bin` `683fcffe9abaad29001e134bdd9ad7d1628d5cbbf628c451b6c621f202a7dae4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x33C	65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.