PDF malware analysis — malicious · addffeb4e90067f4

MALICIOUS

PDF

14.2 KB

MD5: bb07e5c2ddc36cf62acb7d9929b96448 SHA-1: 7a94d59111e8d4f87ce5bdbf8ec366f2d9f1919c SHA-256: addffeb4e90067f48137047d90cabc1027da6863c41ae100815c036865b29ac6

168 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1566.001 Phishing: Spearphishing Attachment

The sample is a PDF file that leverages the CVE-2010-0188 exploit targeting Adobe Reader's XFA form processing. The heuristic firings indicate the use of an XFA numeric stager, which is designed to evaluate and execute code. ClamAV detection as Js.Exploit.HTML-30 further supports the malicious nature, suggesting JavaScript-based exploitation within the XFA structure. The embedded URL, while seemingly benign, is part of the XFA template structure.

Heuristics 5

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Js.Exploit.HTML-30
XFA numeric character-table eval stager high PDF_XFA_NUMERIC_EVAL_STAGER

PDF XFA initialize script reads numeric form data from rawValue, maps the values through a short character table, and evals the reconstructed stage. This is an exploit-kit staging technique even when the final decoded layer remains encoded.
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.