PDF malware analysis — malicious · d0c5c9044814d544

MALICIOUS

PDF

167.4 KB Created: 2010-03-23 12:31:52 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))

MD5: 097ceee8b7954a7e2d64738e0ebd77ed SHA-1: d9fa72edccdbd4c0d1fc1f11494416cd5f3d2830 SHA-256: d0c5c9044814d54419e1d481c313797537345abcaa827b2791902aea0b8a7350

120 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File: User Execution T1566.002 Phishing: Spearphishing Attachment T1190 Exploit Public-Facing Application

This PDF file contains a critical heuristic indicating exploitation of CVE-2010-0188, a known vulnerability in Adobe Reader related to LibTIFF XFA image handling. The presence of an embedded file and a secondary suspicious PDF further supports the malicious nature of this document. The primary attack vector is likely through a user opening the malicious PDF, leading to the execution of the embedded exploit.

Heuristics 7

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/pdfx/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `5a479ff2881cc991bf2f5e5dffd9080c2332683563d973d5bbbbddf0f58331ed`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x51	13430 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`font_00_sfnt_off000225de.bin` `0154a9004312640691d1286e9b548b34b9837009057f142973f65bc76a62fcd0`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x225DE	44352 bytes
`polyglot_child_pdf_off0001cb7f.pdf` `2a23ddf4b8ef7187fca7f47884f3d6300d3f3f756fd7ab2626ddcb54f3526931`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x1CB7F	53747 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.