Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb3581d016cec1ec…

MALICIOUS

PDF

31.6 KB
MD5: c3809a9dad83964ac028e46a6f7264fe SHA-1: bcb654ea49e81c7107a0877104e7642590e256de SHA-256: cb3581d016cec1ec8d44531a2036d12daafb3539c0d5616947311605f414acee
158 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1059.001 PowerShell

This PDF file is flagged as malicious by multiple engines, including ClamAV detecting it as Js.Exploit.HTML-30. Static analysis indicates it exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms. The embedded URL, while seemingly benign, is likely part of the exploit chain. The presence of XFA forms and the exploit detection strongly suggest an attack pattern aimed at delivering a second-stage payload via JavaScript execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • ClamAV: Js.Exploit.HTML-30 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Js.Exploit.HTML-30
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.xfa.org/schema/xfa-template/2.5/

Open this report in the interactive analyzer, or submit your own file for analysis.