PDF malware analysis — malicious · b17721f5dd6bd551

MALICIOUS

PDF

24.1 KB

MD5: 115f0374329a4155421415f4c3a578dc SHA-1: c8412b09fef3fbe1081138448762d74103b02561 SHA-256: b17721f5dd6bd551e55730c988e5944f573e2d8565dc0f6b9592d2a787d6e0c9

128 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell

The PDF file contains an embedded XFA form and triggers the critical CVE-2010-0188 exploit, which is known to target Adobe Reader. The embedded URL is likely related to the exploit's functionality. The obfuscated document body content appears to be JavaScript, which is likely responsible for downloading and executing a secondary payload, although its exact function is obscured.

Heuristics 4

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
ClamAV: Pdf.Exploit.Agent-36821 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-36821
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.