Malicious PDF — malware analysis report

Static analysis result for SHA-256 c52fef30dc934350…

MALICIOUS

PDF

313.1 KB Created: 2010-03-04 18:02:04 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: ddbe4506663f1d75e516fa5f7564fb08 SHA-1: 812edc1704079d7beea75866aedbff2b053df8eb SHA-256: c52fef30dc934350f8d5b1ccfcd406083983b7b794ecd8d351e4880e48917923
222 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The sample is a PDF document that exploits CVE-2010-0188, a critical vulnerability in Adobe Reader related to XFA forms. Static analysis detected embedded JavaScript and an embedded script payload, indicating the file's intent is to download and execute a secondary payload. The presence of XFA form elements and JavaScript actions further supports this conclusion. No specific malware family was identified.

Heuristics 11

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.datanumen.com/apdfr/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0007.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x7988 56 bytes
embedded_file_obj0008.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x7A27 80 bytes
embedded_file_obj0009.bin
5a1ae56b5d79992962cd7a2b90c8a3c925b39e9e9c053cec9dd39fcaabb79b0b		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x7ADA 1533 bytes
embedded_file_obj0010.bin
c6f641b94e3ae73b7ddd9d5d3b8ce05e7497e1b6e0c8f3d84a6934d0ae9aada2		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x7DA2 142 bytes
embedded_file_obj0011.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x7E74 200 bytes
embedded_file_obj0012.bin
560dcced2df6f65386a395771a4721a00980be4d89cc752639746882322da5c3		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x7F71 2518 bytes
embedded_file_obj0014.bin
d7fa0bb4b440be27b73f2789111f5954ee699800ac09075cce38842f26f68454		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0xE31C 1610 bytes
embedded_file_obj0015.bin
73b89e1b97ed7e13506f21b0d6775a3b571f827a570db26ffc730d2694d01cc2		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xE632 163 bytes
stream_013_off0000fdc1.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFDC1 902 bytes
stream_014_off0000ff20.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFF20 1367 bytes
embedded_pdf_script_000084a4.bin
ac44c23c0b740f8f6782d30cbee525f61da16a23b6a695615775e224e482cfa4		 pdf-embedded-script PDF raw stream script payload at offset 0x84A4 24647 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off00000569.bin
3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x569 36717 bytes
polyglot_child_pdf_off0003dd45.pdf
6d3461a8bef110ef5498e6be597d36be83948cba70c809cc00d681e6720766a2		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3DD45 67385 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.