Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2741b2f68264d71…

MALICIOUS

PDF

99.8 KB
MD5: 0f80cab8affaba2f64349a69fc1f299c SHA-1: 4c8dfbd79d5aad62f632ed1812c49b60dea81f57 SHA-256: d2741b2f68264d7168c6a1200e163670854d4120ccbd38df67de606437d18cb7
136 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious PDF T1059.001 Command and Scripting Interpreter: PowerShell

The sample is a PDF file that exploits CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms. The PDF contains embedded script payloads, indicating an attempt to execute malicious code upon opening. The script logic, though partially obfuscated, suggests it is designed to download and execute a second-stage payload. The embedded URLs are related to XFA schemas and are not directly indicative of malicious infrastructure.

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
9a1569f88d78de4cedff0e1f53a9c334dc3b2fd4a7365205b82dd824093a80ce		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 101428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.