Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6a7edf7119e32a7…

MALICIOUS

PDF

4.58 MB Created: 2000-10-02 22:08:21 Authoring application: Acrobat Distiller 4.0 for Windows
MD5: 4ca24ef4513eff5f71b2843e65c0a38d SHA-1: 4fceb1878f16138910a137ceb8cf293c55651750 SHA-256: a6a7edf7119e32a79b7812232ab473c87efdfcc1ca2ae22993b9c46c29500cf9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF sample contains multiple high-severity heuristic firings indicating exploit preparation, specifically related to CCITTFaxDecode and PRC/3D content, suggesting it targets known PDF vulnerabilities like CVE-2010-0188. An embedded JavaScript stream was also detected. While the document body is heavily obfuscated and unreadable, the combination of these indicators points to a malicious PDF designed to exploit a viewer vulnerability and likely execute a secondary payload.

Heuristics 4

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • ASCII85Decode filter (with exploit indicators) low PDF_FILTER_85
    ASCII85 encoding filter present alongside exploit delivery indicators — uncommon outside of obfuscation

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_027_off0003a49a.bin
6100afae9ad45454d8114520d361c6392144ecba3bb4081e3af2afb51d1e21d6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3A49A 82536 bytes
stream_074_off00161d40.bin
99cd96a2e09550b5f16f76a662dac87dfd262dd5c701126cebf11038dfcb5c56		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x161D40 66447 bytes
stream_081_off001746fe.bin
d0ccdac934c35db28f1da246cf45f882e2ca64bdeb466b7442a3082b895ea55e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1746FE 87750 bytes
stream_084_off0018287b.bin
95a4906ed443629c2d47bb0b18721dbba99fc168ee03456e7a692fcfa3969307		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18287B 40320 bytes
stream_088_off001964e1.bin
51eddb186ca16feb7e3108bf3d0690a2b7b817cfefde9506b463ce9b071f87e9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1964E1 60030 bytes
stream_097_off001af275.bin
e26c002407a7108c21f7043b56a7b20e5cff3721e5e529e44ba3b2791b6ac6a8		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AF275 19513 bytes
stream_100_off001b7e7b.bin
326ffb7899d1372336d19dbe88759d6e0919f7a8829b998a3dd3ae390f70050e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B7E7B 24336 bytes
font_00_sfnt_off00481d42.bin
b4424ef9e3fc126bb58cd8283789483dbb9f1724268bb19f08a5aa0a94e34203		 pdf-font-stream PDF embedded font (sfnt) at offset 0x481D42 11772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.