PDF malware analysis — malicious · 8bd45a2f7099b51a

MALICIOUS

PDF

195.6 KB Created: 2011-04-22 00:48:23 Authoring application: aaaaaaaa aaa aaaaaa aa http://aaa.aaaaaaaaa.aaa/aaaaa/

MD5: d3c4001909f980ee508b006d5df63751 SHA-1: 49b54b77e34416fa15908b0f1ec09930624a82b3 SHA-256: 8bd45a2f7099b51a9c9401d956a43a68caebd9959b71f84a6441781f3afc8474

134 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains a critical vulnerability exploit for CVE-2010-2883, targeting Adobe Reader's handling of SING fonts. Embedded JavaScript streams were detected, and one of them, 'javascript_obj0048_000.js', is likely responsible for downloading and executing a secondary payload from the embedded URL http://aaa.aaaaaaaaa.aaa/aaaaa/. The presence of RichMedia (Flash) and embedded files further suggests a multi-stage attack.

Heuristics 8

Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883

PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://aaa.aaaaaaaaa.aaa/aaaaa/
- http://www.datanumen.com/apdfr/

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`5.swf` `f9202a5cd9007c62a212a33809815fddd498c78f8ea667415a9cacbc7aed313c`	pdf-embedded-file	PDF EmbeddedFile object 57 at offset 0x7E1D	2376 bytes
`javascript_obj0048_000.js` `2820116b2790b650c5095241088294398a3b3c7e17702101881ad47e4cbda66c`	pdf-javascript-stream	PDF /JS object 48 at offset 0x2B35	19427 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 long base64-like blob(s).
`javascript_obj0060_001.js` `d09a588b22eec2c7828c33f700a6cb6f74ac83f5d53d6ca286bc44cce07b1907`	pdf-javascript-stream	PDF /JS object 60 at offset 0x8801	3781 bytes
`javascript_obj0063_002.js` `fd7d21cf68514556b0343a05f24c2ad1824764617801ef6fe16cc43b30be96d4`	pdf-javascript-stream	PDF /JS object 63 at offset 0x8FAC	1064 bytes
`stream_003_off00001485.bin` `69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1485	434 bytes
`font_00_sfnt_off000079f4.bin` `fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79F4	7965 bytes
`font_01_sfnt_off0000923d.bin` `823021e67c69104f3db2966cb1f6abc7103a6715ef1bffc315b5f9c5ea04a787`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x923D	7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.