PDF malware analysis — malicious · 78d6de6c3aa11938

MALICIOUS

PDF

20.5 KB

MD5: 7a37178f8cc91b26e9cabde37599c22a SHA-1: 99856a0be28ca552fbd3ad52ad9c76428816a76c SHA-256: 78d6de6c3aa1193846e1a25442a502acca957021c454e6f3e4f31c55935af04e

160 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample is a PDF file identified as malicious by multiple heuristics, including a critical detection for CVE-2010-0188, an Adobe Reader LibTIFF XFA image exploit. This exploit is designed to achieve arbitrary code execution. The presence of an embedded URL, although benign in this specific instance, is typical for malware that downloads additional stages. The XFA form structure is also indicative of exploit attempts.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Pdf.Exploit.Dropped-78 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Dropped-78
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.