Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2a057dc0c00c3f1…

MALICIOUS

PDF

237.9 KB
MD5: e79e5bd09122af9500c3830911917244 SHA-1: a5bab7f208fb35e55cc9d9578a8d3b92cddf0cc0 SHA-256: c2a057dc0c00c3f1ba927a3da4a1303c591cd6259ed70fe9a0c8ae4d31405891
126 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: Malicious File T1059.001 Command and Scripting Interpreter: PowerShell

The critical heuristic firing for CVE-2010-2883 indicates the PDF is designed to exploit a known vulnerability in Adobe Reader. Embedded JavaScript streams were also detected, suggesting the exploit is used to execute malicious code. The ML classifier also flagged this PDF as malicious. The exact nature of the second-stage payload could not be determined due to obfuscation, but the exploit and script execution pattern is common for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8132

Heuristics 6

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0039_000.js
e2e297038729f5e5f32a8c6feebdd8f51b16c550c9f79c4e6a41ff3e5f054971		 pdf-javascript-stream PDF /JS object 39 at offset 0x2529 12406 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_002_off00000f8f.js
672d461752be4a970c8e9721164ce074d252b55d09d46cc09259d2ce4fc09f7f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF8F 1546 bytes
stream_003_off0000124c.bin
29cf1edfedd4f27f3c450646c5dc2510e6bf9e63eee1cd436ac517a465a2e1bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x124C 1650 bytes
stream_004_off000015bc.bin
0f910ffeec733940f6ba1ae41dc6770eab5d615c05bccc95197878b62c8dc45f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15BC 2928 bytes
stream_006_off00001b51.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B51 56 bytes
stream_007_off00001bd9.bin
fe122a09d8a0444608fdc5a6f4981a2dbd469f5bbfacb4bdd327c28ccc343e13		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1BD9 149 bytes
font_00_cff_off00005c86.bin
ea8f409c7366ed46eeb553aa7b404f04641f482ba88463fbe253da60be5787e5		 pdf-font-stream PDF embedded font (cff) at offset 0x5C86 1138 bytes
font_01_sfnt_off00007891.bin
e31f8c8507e52f29008d946a00becde9f839e34cb108985ce66167bf881adafa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7891 8084 bytes
font_11_sfnt_off00013e7b.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13E7B 65932 bytes
font_12_sfnt_off0001daf3.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DAF3 65932 bytes
font_13_sfnt_off00027763.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27763 65932 bytes
font_14_sfnt_off0003139c.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3139C 65932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.