Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1ab23af4ac683fc…

MALICIOUS

PDF

182.9 KB Created: 2010-09-24 17:00:51 Authoring application: Advanced PDF Repair at http://www.datanumen.com/apdfr/
MD5: a88c564688167e8f17179fcee5df01ca SHA-1: a044c45f95263d38ca16d6454dbaf1d2e0c644c5 SHA-256: a1ab23af4ac683fc142d86821546deef72ed84006bcf266941592c2dcecd16c0
86 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is a PDF file that exploits the Adobe Reader CoolType SING font vulnerability (CVE-2010-2883). This vulnerability allows for arbitrary code execution. Embedded JavaScript streams were also detected, suggesting further malicious activity. The URL for 'datanumen.com' was found within the document, which may be related to the exploit or a secondary payload delivery.

Heuristics 6

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.datanumen.com/apdfr/

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0038_000.js
344b8dfeb46bf46d681c07ad0bdca9968a5711f7fe1fc67a5c29ca3cb6344d68		 pdf-javascript-stream PDF /JS object 38 at offset 0x289F 14983 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0045_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 45 at offset 0x6A67 1242 bytes
javascript_obj0046_002.js
d8bbcc5984e6bec8996e18881fad0486ff520c9b9f03ee0fb9694ddfc412340d		 pdf-javascript-stream PDF /JS object 46 at offset 0x6C8B 1572 bytes
stream_000_off00000938.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x938 434 bytes
font_00_sfnt_off0000642f.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x642F 7965 bytes
font_01_sfnt_off0000668e.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x668E 7965 bytes
font_02_sfnt_off000068ed.bin
823021e67c69104f3db2966cb1f6abc7103a6715ef1bffc315b5f9c5ea04a787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68ED 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.