Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3a28b2e37f0a97d…

MALICIOUS

PDF

651.4 KB Created: 2010-09-20 15:05:48 +08:00 Authoring application: Acrobat PDFMaker 7.0 for Word (via Acrobat Distiller 7.0 (Windows))
MD5: 49f8e3fb2c7f857272bccae23c378552 SHA-1: 628d3f5f4c4e3692f063dcff1cd528bec8f2aff8 SHA-256: d3a28b2e37f0a97d48c489b1bea5bcb8ee758a31f57feb3c0621d199add07e6b
214 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.001 Malicious Link

This PDF file contains embedded JavaScript and exploits CVE-2010-2883, a known vulnerability in Adobe Reader's CoolType SING font handling. The presence of JavaScript actions and unescape calls, along with a secondary embedded PDF with similar suspicious findings, indicates an attempt to download and execute a malicious payload. The document body itself is largely unreadable, but the technical indicators strongly suggest a drive-by download or exploit delivery mechanism.

Heuristics 10

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xfa/promoted-desc/
    • http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xci/2.6/
    • http://www.xfa.org/schema/xfa-template/2.6/
    • http://www.xfa.org/schema/xfa-locale-set/2.7/
    • http://www.xfa.org/schema/xfa-locale-set/2.6/
    • http://www.xfa.org/schema/xfa-form/2.8/
    • http://www.xfa.org/schema/xfa-data/1.0/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0026_000.js
2f574ea0a0abb643798c6edf545b9a2510056a799ef48c2f415cee8e337043b2		 pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 9909 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
font_00_sfnt_off000149fa.bin
422bc5698ba5d9d4818f6a2d8b3abca2f723e713b44a15c390139d2c976a1388		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149FA 65932 bytes
font_01_sfnt_off0001e85c.bin
7e24ee16c8b09ee74d61445f29c3c0a95abfdf17fc1008606394f159dbd0c106		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E85C 65932 bytes
font_02_sfnt_off000286ba.bin
57e24925bc6bdb98d38e8b4ba3b87f80f75c5e49ea9a522486790d7dc6848549		 pdf-font-stream PDF embedded font (sfnt) at offset 0x286BA 65932 bytes
font_03_sfnt_off000324e1.bin
1f068d668b316fcb46f0801be00137fb749cc7fda5ca15e442829d6c303d8f99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x324E1 65932 bytes
font_08_sfnt_off0008d945.bin
28374500729579f5e7edf3e6ebf423648a6f819679095b5cb02e9f63b6407a91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D945 23196 bytes
font_09_sfnt_off00090d1e.bin
db8bb3e7792f5fb1d585c474d635d271fd7c3c9af81e6addd182f313499ffb1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90D1E 24948 bytes
font_10_sfnt_off000944e0.bin
e3e6849923d322e0e81f0d72133cc4334e53861795bc630d5659e6628c4f6c14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x944E0 19248 bytes
font_11_sfnt_off00097051.bin
de7decd844b32d868a63d1da9bd9c61a72668caae6f8302b6bf4e35ac7cb3333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97051 20000 bytes
font_12_sfnt_off00099d86.bin
cf49583f2ebc0ea01a87179fa0f83442477d2a42869c198ac47c31ddee244544		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99D86 60628 bytes
javascript_obj0026_000_1.js
65f1a10cffeb24058d5b06509e41982408c74a0fa3e84b5d18553d313b129a80		 pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 8527 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
javascript_obj0026_001.js
fa7f6cc47cfe55e5ebae56c90ef7032df457f3388765cff26c17cc792c215a1b		 pdf-javascript-stream PDF /JS object 26 at offset 0x47BF 3369 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
polyglot_child_pdf_off0003ca8f.pdf
6f5c9357d3065014027191a65f1296792cf8452d65cb6c4aa619da97621f9871		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x3CA8F 418542 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 10 long base64-like blob(s).
polyglot_child_pdf_off0008b1d8.pdf
cad7ad661fc3d3509d442e4a4643b971c51cf55cf2c52302c5bf2593deb45245		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x8B1D8 97189 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.