Malicious PDF — malware analysis report

Static analysis result for SHA-256 95eb0fb640997e8a…

MALICIOUS

PDF

3.9 KB
MD5: ff3f8fe94b08fa5eda00c9dab1d008df SHA-1: fbaa960d3cea4f15e7642d75c6542fe1528e88d1 SHA-256: 95eb0fb640997e8a3ee7b4d53c3b125dcb88acb5ae7bc13df6e273a59b2cb8f3
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The PDF file contains an embedded script payload and triggers the CVE-2010-0188 exploit for Adobe Reader. This exploit allows for arbitrary code execution, which is commonly used to download and execute further malicious content. No specific malware family was identified, but the exploit and embedded nature suggest a downloader or dropper.

Heuristics 5

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or HTML script tags. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0041.bin
d95bcac45d5204b45243aa88cbb8b2e9c523c93ed610d8f3a86108f1037612f4		 pdf-embedded-file PDF EmbeddedFile object 41 at offset 0x53 9819 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.