Malicious PDF — malware analysis report

Static analysis result for SHA-256 b058fcc16446464c…

MALICIOUS

PDF

1.85 MB
MD5: ac4a484bb27e08433f822d4120291be4 SHA-1: 8c0ac1bf6e1a41da170a09c655795fdb31a6badc SHA-256: b058fcc16446464c0aa94edabbc98cfd87d5d2ac2f9e3009b11a3aff96ed53b7
106 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

This PDF file contains embedded JavaScript and utilizes the CVE-2010-2883 exploit targeting Adobe Reader's CoolType SING font parsing. The presence of JavaScript streams and the specific exploit indicate an attempt to compromise the user's system upon opening the document. The exploit likely facilitates the execution of further malicious code.

Heuristics 6

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
fa43b6cfd34e74adf939d2b4d0e928235e18a0760596e06740a9b8dc5cb8b1a2		 pdf-javascript-stream PDF /JS object 29 at offset 0x1D66B6 14989 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x1D44 1242 bytes
javascript_obj0039_002.js
d8bbcc5984e6bec8996e18881fad0486ff520c9b9f03ee0fb9694ddfc412340d		 pdf-javascript-stream PDF /JS object 39 at offset 0x2316 1572 bytes
stream_004_off00000cd0.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCD0 434 bytes
font_00_sfnt_off00001313.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1313 7965 bytes
font_01_sfnt_off00001ac5.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC5 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.