MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
The sample is a PDF file that contains a critical heuristic firing for a Type 1 Multiple-Master font overflow exploit, commonly associated with CVE-2010-1797. This indicates the file is designed to exploit a vulnerability in PDF readers to achieve code execution. ClamAV also detected it as a dropper, suggesting it likely downloads and executes additional malicious payloads.
Machine Learning
- Nyx PDF Classifier clean score 0.0266
Heuristics 2
-
Type 1 Multiple-Master font overflow exploit (jailbreakme / CVE-2010-1797) critical PDF_TYPE1_MM_FONT_OVERFLOWPDF embeds a Type 1 (PostScript) font that carries Multiple Master Blend keys (BlendDesignPositions/BlendAxisTypes/BlendDesignMap) together with an over-long clear-text overflow filler (a giant repeated-token array, a 1 KB+ contiguous junk token, or a 'blatantly invalid' self-label). Multiple Master is a deprecated Type 1 sub-format whose Blend handling drives a stack buffer overflow in the FreeType / Adobe CoolType font parser — the static shape of the 2010 'jailbreakme' PDF font 0-day (CVE-2010-1797), the /FontFile (Type 1) counterpart to the CVE-2010-2883 SING exploit. The malicious bytes live inside a FlateDecoded /FontFile, so JS, heap-spray and raw-byte rules never see them; rendering one glyph in the font forces the vulnerable parse.
-
ClamAV: Pdf.Dropper.Agent-7387411-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Dropper.Agent-7387411-0
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_000_off000003eb.bin |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x3EB | 414921 bytes |
SHA-256: c8d75f30ae53f687b9171a34f6f58107bf60907da2a69e134d69f2857b102b94 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.