Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f074cc44f04323d…

MALICIOUS

PDF

1.74 MB Created: 2010-03-04 18:02:04 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: 3b7577d7571695f44bf561f864a58ac3 SHA-1: 8543dd2d8a02580ac39e7e17087619d060c0afbb SHA-256: 6f074cc44f04323d1781f81f7cf937009f3c045c87d8a31c43e91bbf7a676018
276 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file exploits CVE-2010-0188, a known vulnerability in Adobe Reader's handling of XFA forms, to achieve code execution. The embedded JavaScript attempts to prompt the user to update their Adobe Reader, potentially leading them to download malicious content from the URL http://cgi.adobe.com/special/acrobat/update. The ML classifier strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9968

Heuristics 12

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.datanumen.com/apdfr/
    • http://ocsp.verisign.com0
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://cgi.adobe.com/special/acrobat/update
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://ns.adobe.com/xfdf/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://ns.adobe.com/xtd/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xci/2.8/
    • http://ns.adobe.com/xdp/
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • https://www.verisign.com/rpa
    • https://www.verisign.com/rpa01
    • http://crl.verisign.com/pca3.crl0
    • http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
    • https://www.verisign.com/rpa0
    • http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
    • http://www.adobe.com/typehttp://www.adobe.com/type/legal.html

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0007.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x7988 56 bytes
embedded_file_obj0008.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x7A27 80 bytes
embedded_file_obj0009.bin
5a1ae56b5d79992962cd7a2b90c8a3c925b39e9e9c053cec9dd39fcaabb79b0b		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x7ADA 1533 bytes
embedded_file_obj0010.bin
c6f641b94e3ae73b7ddd9d5d3b8ce05e7497e1b6e0c8f3d84a6934d0ae9aada2		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x7DA2 142 bytes
embedded_file_obj0011.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x7E74 200 bytes
embedded_file_obj0012.bin
560dcced2df6f65386a395771a4721a00980be4d89cc752639746882322da5c3		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x7F71 2518 bytes
embedded_file_obj0014.bin
d7fa0bb4b440be27b73f2789111f5954ee699800ac09075cce38842f26f68454		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0xE31C 1610 bytes
embedded_file_obj0015.bin
73b89e1b97ed7e13506f21b0d6775a3b571f827a570db26ffc730d2694d01cc2		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xE632 163 bytes
javascript_obj0038_000.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 pdf-javascript-stream PDF /JS object 38 at offset 0xFDC1 902 bytes
javascript_obj0039_001.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 pdf-javascript-stream PDF /JS object 39 at offset 0xFF20 1367 bytes
embedded_pdf_script_000084a4.bin
c2a2eaac76aa990e4ff455da90ea7e83bdc0e6ab33e0065f161cdf74abfb2ba4		 pdf-embedded-script PDF raw stream script payload at offset 0x84A4 24647 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off00000569.bin
3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x569 36717 bytes
polyglot_child_pdf_off001ac745.pdf
af825ea29f3f585a52c6351b25fbb77eb19f272e9e619bfd0f46366449087e22		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1AC745 67385 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.