MALICIOUS
130
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.001 PowerShell
The critical heuristic 'CVE_2010_0188' indicates exploitation of a known Adobe Reader vulnerability. The presence of a secondary embedded PDF with similar suspicious findings further supports this. The XFA form suggests a complex document structure designed to host the exploit payload.
Heuristics 4
-
Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
-
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGEA valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
-
XFA form low PDF_XFAPDF uses XML Forms Architecture — can contain script logic
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
stream_000_off0000004f.bin4039e9c998334ff031d82f5ca110045c516b3c5ea8785535b9ad33d41166a47b |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x4F | 13560 bytes |
polyglot_child_pdf_off001a0641.pdfc102d44267abc2eb3a0470e7f7826cc96337accbed8026665157470b23634d44 |
polyglot-child-pdf | Secondary PDF body inside pdf container at offset 0x1A0641 | 12066 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.