Malicious PDF — malware analysis report

Static analysis result for SHA-256 798bf8b6ed3a7175…

MALICIOUS

PDF

639.0 KB Created: A  bg÷Z(KîÎ 3Ï¢{zêdFÚû°·4(‹<þ–ñKWÕC(ßcƒ ì  ³8 Authoring application: ”°?ÝV_˜Ýk­þ.§Ë£h”<$oƘ-=}ŽN‡®y‡ G•"¤œ*š (via 5nD³Aõì?Oó¿¥Èѯ&/ZVœµŒ¼õýÚ³]¨«°Bëð;ÑzUf)
MD5: 91ae50066626182b6a5876e4562dd752 SHA-1: 8cebd32ba89e6cb9f346001b5baf6a918779cf8b SHA-256: 798bf8b6ed3a717567a817c9464c7483ae1ca136577105df8c6adfdf01310fe6
228 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file is identified as malicious due to a critical heuristic firing for CVE-2010-2883, an Adobe Reader CoolType SING font exploit. The presence of embedded JavaScript, specifically within an XFA form, further indicates malicious intent. The JavaScript code attempts to check for Adobe Reader versions and potentially download updates from a provided URL, which is a common technique for delivering secondary payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 10

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 1 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cgi.adobe.com/special/acrobat/update
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/1.0/
    • http://www.xfa.org/schema/xci/2.8/
    • http://www.xfa.org/schema/xfa-template/2.4/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.1/
    • http://ns.adobe.com/xtd/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xfdf/
    • http://www.xfa.org/schema/xfa-form/2.8/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0012.bin
f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x18D1 86 bytes
embedded_file_obj0013.bin
8aa38aa66bbb66c238f2b2056e2706e71575fe988694258f17d2bf9e80eb10af		 pdf-embedded-file PDF EmbeddedFile object 13 at offset 0x1985 1500 bytes
embedded_file_obj0014.bin
742512912da916ed05162ec3e4d245ac05b5310121e973ea4cc4bebeeaa6cc67		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0x1C59 7249 bytes
embedded_file_obj0015.bin
da19a956510de42d8522c11b25445b3efa52056541ed94d34b6ccf27c6a9ff47		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0x26B1 159 bytes
embedded_file_obj0016.bin
7a3baf6cd7005199e771f5fac95d2162e961b145b52976bfa7d0f32a10c9758d		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x2784 3023 bytes
embedded_file_obj0017.bin
4cb349134bdb5f1a1c03281df9b53128ebe947f235398a912a4f0a9f638b24d5		 pdf-embedded-file PDF EmbeddedFile object 17 at offset 0x2B15 200 bytes
embedded_file_obj0018.bin
94561903baadce077f2e3349478a5382a04b3be500869799a4aabc53a7a9fcb6		 pdf-embedded-file PDF EmbeddedFile object 18 at offset 0x2C09 1223 bytes
embedded_file_obj0019.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 19 at offset 0x2E5D 80 bytes
embedded_file_obj0020.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x2F07 56 bytes
eflow.jpg
ba37fe16834bd85f967613ae35e857f09094a0b2d63ee89c455d639970a0e813		 pdf-embedded-file PDF EmbeddedFile object 38 at offset 0x391C 24941 bytes
javascript_obj0040_000.js
bb2fe1c0b366bd3a48235c04e822305ef3ab04e575e155f93e34004f56cc10ec		 pdf-javascript-stream PDF /JS object 40 at offset 0x9B6CE 2844 bytes
javascript_obj0041_001.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 41 at offset 0x9BA1A 870 bytes
javascript_obj0042_002.js
f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8		 pdf-javascript-stream PDF /JS object 42 at offset 0x9BB72 1532 bytes
stream_012_off000943a4.bin
0601c4b533d97a420b6c976136126d6e4d79c0f357e07bcf80adaf2c57144440		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x943A4 32400 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.74, consistent with packed or encrypted content.
font_00_sfnt_off0009c6f4.bin
426fc31e492fe224eea571b50d4b8a8539f1b24595527e3932236df755edd36a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C6F4 71524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.