MALICIOUS
206
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.002 Malicious File
The PDF file exhibits multiple indicators of malicious intent, including embedded JavaScript and an embedded file. The presence of these elements strongly suggests that the document is a dropper or downloader, intended to fetch and execute a secondary payload. The embedded file 'embedded_file_obj0004.bin' is a primary artifact of interest. While the specific family is not identifiable, the attack pattern points towards a multi-stage infection process.
Machine Learning
- Nyx PDF Classifier malicious score 0.9849
Heuristics 8
-
Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
-
Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded file low PDF_EMBEDDEDPDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
-
JavaScript action low 1 related finding PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic (matched inside decoded stream)
-
Embedded script payload in PDF stream info PDF_EMBEDDED_SCRIPT_PAYLOADPDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
- http://ns.adobe.com/xap/1.0/In PDF document text
- http://ns.adobe.com/xap/1.0/mm/In PDF document text
- http://purl.org/dc/elements/1.1/In PDF document text
- http://ns.adobe.com/pdf/1.3/In PDF document text
- http://cgi.adobe.com/special/acrobat/updateReferenced by PDF JavaScript
- http://ns.adobe.com/xdp/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/1.0/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xci/2.8/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-template/2.4/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-data/1.0/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-locale-set/2.1/Referenced by PDF JavaScript
- http://www.xfa.org/schema/xfa-form/2.8/Referenced by PDF JavaScript
- http://ns.adobe.com/xfdf/In PDF document text
Extracted artifacts 12
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
embedded_file_obj0001.bin |
pdf-embedded-file | PDF EmbeddedFile object 1 at offset 0xCC4 | 86 bytes |
SHA-256: f7ee3ef2f8f35d669a6c2b8b0b0ee89655bbc3d04b107a8d22531830f6fc28a1 |
|||
embedded_file_obj0002.bin |
pdf-embedded-file | PDF EmbeddedFile object 2 at offset 0xD77 | 2016 bytes |
SHA-256: 7cfe100cbdcad5aca90e1aff8d47bd1123cf26569260667c1d765df6ce0caa2c |
|||
embedded_file_obj0003.bin |
pdf-embedded-file | PDF EmbeddedFile object 3 at offset 0x110B | 15837 bytes |
SHA-256: f3af0cf90c00df075a9ce3a70b1ab9f6630be5831085025f0de58661026ef643 |
|||
embedded_file_obj0004.bin |
pdf-embedded-file | PDF EmbeddedFile object 4 at offset 0x1788 | 11695 bytes |
SHA-256: 1618be88b77384b7e3d67817b9ec19bbbfc7018d18d3fd54d4daaff288c95aaa |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
embedded_file_obj0005.bin |
pdf-embedded-file | PDF EmbeddedFile object 5 at offset 0x1B2A | 4852 bytes |
SHA-256: 2680b20f4fac49f509e9b73896071e8d16550d04c32a2854f801644ece0b6d0b |
|||
embedded_file_obj0006.bin |
pdf-embedded-file | PDF EmbeddedFile object 6 at offset 0x1F40 | 1223 bytes |
SHA-256: 89db6425645c1f2700e52a38498e90ca6ef07071c0662f0b1655e8eb798468ad |
|||
embedded_file_obj0007.bin |
pdf-embedded-file | PDF EmbeddedFile object 7 at offset 0x218E | 85 bytes |
SHA-256: af05f8185c725a70291567ae2112fa9a98b368528a7cc440552f0c0847d95121 |
|||
embedded_file_obj0008.bin |
pdf-embedded-file | PDF EmbeddedFile object 8 at offset 0x223B | 332 bytes |
SHA-256: 8e2b0c5682a7ef5861af182df1c165bec1368e4ec954c0f525b7d9b0aa94381b |
|||
xfa_image_rawvalue_000.tif |
pdf-xfa-image-tiff | XFA image/rawValue TIFF payload near offset 0x17F6 | 8642 bytes |
SHA-256: 26b5b2a71a6a10fd5abcaa57b490813f1caeaf8cd87470ba68e6fca37db997f7 |
|||
|
Detection
ClamAV:
Win.Exploit.CVE_2010_0188-7
Obfuscation or payload:
likely
Static shellcode analysis found candidate code region(s). Indicators: NOP sled
|
|||
stream_002_off00000339.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x339 | 1532 bytes |
SHA-256: f574e4d51594d1a8fd22e125b109b827c437aa898edc78babb62dbb93f8744f8 |
|||
stream_003_off00000524.js |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x524 | 870 bytes |
SHA-256: 4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb |
|||
objstm_0038_00.bin |
pdf-objstm-decoded | PDF /ObjStm 38 0 obj (inflated) | 689 bytes |
SHA-256: fc38668935b818d494502afb894c15e6b0d801951a9c4fd0b0c46f76fef1fb2a |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.