PDF malware analysis — malicious · b82ff82645eb3a0f

MALICIOUS

PDF

29.6 KB Created: 2012-12-11 17:01:31 Authoring application: pgvdttsdhcgam (via waymhnpjmjprfv)

MD5: b14ac26518677d3cdd70457f93b3b6a7 SHA-1: c430b710fac8957806008fc259871d4d63109789 SHA-256: b82ff82645eb3a0f4ffb6f732b7db0ea3c1ab5b69b9ee55a7044e11f24f01970

78 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.001 PowerShell

The sample is a PDF document that exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms. The critical heuristic firing indicates that the XFA form contains JavaScript which is XOR decoded and likely used to trigger the exploit. The embedded JavaScript file, 'xfa_metadata_stage_000.js', is suspicious and suggests the document's primary purpose is to execute malicious code. This code is likely designed to download and execute a second-stage payload.

Heuristics 4

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0010.bin` `f5fada8101d0364117b2454492c05b64911df9d040cddf613d50212da6228859`	pdf-embedded-file	PDF EmbeddedFile object 10 at offset 0x12A2	10740 bytes
`stream_011_off000041c0.bin` `392d4f07be91edcc9359ef94bc01fc8fbd40fa048af13b58bb9eb28874772ed6`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x41C0	209 bytes
`xfa_metadata_stage_000.js` `356ba614beefd2067c7d7e916ea7b708352d1e71c54ba4aac56cff24066d1f4c`	deobfuscated-js	XFA /Title hex-XOR decoded JavaScript (raw, key=vanrxtsLKSR) at offset 0x5353	4082 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.