PDF malware analysis — malicious · b7a2347176edd829

MALICIOUS

PDF

188.8 KB

MD5: 96f1fac814be5f417e3a399b62d083d0 SHA-1: c0c95479d6067cb83f7d72549069879b70d42bf3 SHA-256: b7a2347176edd829c7f56ad686cbc9cb870f8543d7e0a28cb1a819bdfda6f961

260 Risk Score

Malware Insights

MITRE ATT&CK

T1204 Malicious Link T1204.002 Malicious File T1059 Command and Scripting Interpreter T1059.001 PowerShell T1105 Ingress Tool Transfer

This PDF file contains an embedded executable payload and exploits the CVE-2010-0188 vulnerability in Adobe Reader. The embedded executable, 'embedded_pdf_00000ca6.exe', is likely the primary malicious component. Additionally, a secondary embedded PDF, 'polyglot_child_pdf_off0002e684.pdf', was found with suspicious static findings, suggesting a multi-stage attack. The file's purpose is to deliver and execute a secondary malicious payload.

Heuristics 8

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
Embedded Windows executable payload in PDF stream critical PDF_EMBEDDED_PE_PAYLOAD

PDF stream bytes contain an embedded Windows executable with a verified PE header. Exploit chains often hide droppers inside ordinary streams rather than standard /EmbeddedFile attachments.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
ClamAV: Pdf.Dropper.Agent-7216807-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-7216807-0
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 4

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `e6f619f1d2f431695e10c503f69668f64e20710468bf1ea14b55438a938f92b6`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x51	13430 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`stream_001_off0002e6d5.bin` `9e64f05248edfbee7e64aa1ff5dd753e85e5497b7d1dd2db9704044673a012d4`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2E6D5	13430 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`embedded_pdf_00000ca6.exe` `77734b4e840a05e2415d5d1bdd8727e18aebf4da2f63db9a5581f7ff5c747cb2`	embedded-pe	PDF decompressed stream PE payload at offset 0xCA6	190078 bytes
`polyglot_child_pdf_off0002e684.pdf` `91b52dd0a9c9dcdcc0c36702bce49243703e00ec315755b6f069f5b5f8d61d03`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x2E684	3238 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.