Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bb2fe267c076f18…

MALICIOUS

PDF

2.87 MB
MD5: e48b8c585b3f9a1c7fe4be7712c0857e SHA-1: 33835617a1e7ffbaa06bddc06b09819245f218b4 SHA-256: 8bb2fe267c076f183301ced32afe02870114ed48353b9bfbae4ef73861124552
186 Risk Score

Malware Insights

The PDF contains embedded JavaScript and triggers a critical heuristic for the CVE-2010-2883 Adobe Reader CoolType SING font exploit. The ML classifier also flagged this PDF as malicious with high confidence. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload, a common technique for initial access.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9898

Heuristics 7

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
ebf2edb946f3c31da3dec6c892334debd24dd446307ac3fcab3f7c067220197b		 pdf-javascript-stream PDF /JS object 39 at offset 0x2529 12406 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_002_off00000f8f.js
672d461752be4a970c8e9721164ce074d252b55d09d46cc09259d2ce4fc09f7f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF8F 1546 bytes
stream_003_off0000124c.bin
29cf1edfedd4f27f3c450646c5dc2510e6bf9e63eee1cd436ac517a465a2e1bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x124C 1650 bytes
stream_004_off000015bc.bin
0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15BC 2928 bytes
stream_006_off00001b51.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B51 56 bytes
stream_007_off00001bd9.bin
fe122a09d8a0444608fdc5a6f4981a2dbd469f5bbfacb4bdd327c28ccc343e13		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BD9 149 bytes
font_00_cff_off00005c86.bin
ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5		 pdf-font-stream PDF embedded font (cff) at offset 0x5C86 1138 bytes
font_01_sfnt_off00007891.bin
e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7891 8084 bytes
font_11_sfnt_off00013e7b.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E7B 65932 bytes
font_12_sfnt_off0001daf3.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DAF3 65932 bytes
font_13_sfnt_off00027763.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27763 65932 bytes
font_14_sfnt_off0003139c.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3139C 65932 bytes
polyglot_child_pdf_off0003b7cb.pdf
e1d73e8c7506efd351bda2eef987d027ae99a232f0651511e1cc35cd804555de		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3B7CB 2760663 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.