Malicious PDF — malware analysis report

Static analysis result for SHA-256 c51869d6b9a167fd…

MALICIOUS

PDF

110.6 KB
MD5: bd53af168abf2d2b90162f70c57f66c7 SHA-1: c5ac039e0b6e9b54a49a3e50dd4d207d5611fdab SHA-256: c51869d6b9a167fdbcfb799ab851c988ffd6fac6262512d213efa83b1e941b63
154 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains multiple embedded JavaScript streams and triggers a critical heuristic for the CVE-2010-2883 Adobe Reader CoolType SING font exploit. The presence of JavaScript actions and embedded JS streams indicates that the document is designed to execute code. The extracted JavaScript files are likely responsible for downloading and executing a second-stage payload. The specific exploit and embedded scripts strongly suggest malicious intent.

Heuristics 8

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
9336962c9da1a26877bb4186faf05e0e6203d746fa1414225637f834952d0507		 pdf-javascript-stream PDF /JS object 29 at offset 0x1A501 19427 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x19E8 1242 bytes
javascript_obj0039_002.js
d09a588b22eec2c7828c33f700a6cb6f74ac83f5d53d6ca286bc44cce07b1907		 pdf-javascript-stream PDF /JS object 39 at offset 0x1FB9 3781 bytes
javascript_obj0056_003.js
fd7d21cf68514556b0343a05f24c2ad1824764617801ef6fe16cc43b30be96d4		 pdf-javascript-stream PDF /JS object 56 at offset 0x2E8A 1064 bytes
stream_004_off000009f6.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9F6 434 bytes
font_00_sfnt_off00000fb8.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB8 7965 bytes
font_01_sfnt_off00001769.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1769 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.