Malicious PDF — malware analysis report

Static analysis result for SHA-256 ba2fe245680a2c76…

MALICIOUS

PDF

16.1 KB First seen: 2026-05-08
MD5: 3a38947b14c4d44d76083e483b82a74a SHA-1: 62dc05572b7ce52d761484b4fe47a9c3f8bf2e53 SHA-256: ba2fe245680a2c768a3724ae9e1a66e20bad76b74a716c1726e077b5f7d0ace1
62 Risk Score

Machine Learning

  • Nyx PDF Classifier clean score 0.0311

Heuristics 2

  • CoolType Type 1 Multiple-Master font overflow — CVE-2010-1797 (jailbreakme) critical CVE likely CVE_2010_1797
    PDF embeds a Type 1 (PostScript) font that carries Multiple Master Blend keys (BlendDesignPositions/BlendAxisTypes/BlendDesignMap) together with an over-long clear-text overflow filler (a giant repeated-token array, a 1 KB+ contiguous junk token, or a 'blatantly invalid' self-label). Multiple Master is a deprecated Type 1 sub-format whose Blend handling drives a stack buffer overflow in the FreeType / Adobe CoolType font parser — the static shape of the 2010 'jailbreakme' PDF font 0-day (CVE-2010-1797), the /FontFile (Type 1) counterpart to the CVE-2010-2883 SING exploit. The malicious bytes live inside a FlateDecoded /FontFile, so JS, heap-spray and raw-byte rules never see them; rendering one glyph in the font forces the vulnerable parse.
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_type1_off000003eb.bin pdf-font-stream PDF embedded font (type1) at offset 0x3EB 414340 bytes
SHA-256: 143a672a4650344c5900d2d32d1a59fd671770e3a02f19809d361d7412a519a7

Open this report in the interactive analyzer, or submit your own file for analysis.