Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9a241d2549aaa71…

MALICIOUS

PDF

50.1 KB Authoring application: Aspose Ltd. (via Aspose.PDF for .NET 19.8) First seen: 2021-02-23
MD5: 989927ade463b4dc301d42e2ec69353e SHA-1: efccc33327c056c379f763edd52ef4a579673dcf SHA-256: a9a241d2549aaa717e56368e962fdae02ae20b9007f8a5a29bf9b75c051c4f25
188 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • Suspicious extracted artifact critical EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://img215.imgeshacks.org/img130/601/includes/exec.php In PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xdp/In PDF document text
    • http://www.xfa.org/schema/xci/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-template/2.4/In PDF document text
    • http://www.xfa.org/schema/xfa-data/1.0/In PDF document text
    • http://www.xfa.org/schema/xfa-form/2.8/In PDF document text

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0020.bin pdf-embedded-file PDF EmbeddedFile object 20 at offset 0x943 23777 bytes
SHA-256: 9e86272ed5deaf1bcdb770fc1c675d5f401def5af8726c5f6c1b4810e96e113e
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
xfa_image_rawvalue_000.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0xE20 3162 bytes
SHA-256: e21074a9cc5ba0a0429f0410c75de6663f4e0107acd5ccbd055de078137ea271
xfa_image_rawvalue_001.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x2104 4251 bytes
SHA-256: c89ac893e540d8ca11d312c70f94c0789a90ae45d164e6bab78f23a36096df1c
xfa_image_rawvalue_002.tif pdf-xfa-image-tiff XFA image/rawValue TIFF payload near offset 0x383F 8730 bytes
SHA-256: df190838beb5925f8a04fc1a64ec715abf375e5523513fea5a0c48b3a9e13d43
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Static shellcode analysis recovered URL(s): http://img215.imgeshacks.org/img130/601/includes/exec.php Static shellcode analysis found candidate code region(s). Indicators: heap spray 0x0C, SC_PUSH_STRING

Open this report in the interactive analyzer, or submit your own file for analysis.