Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6c999e9279765f8…

MALICIOUS

PDF

109.1 KB
MD5: d143a09611c45ac34ff0f85cc5efcc2e SHA-1: a2378a47bf084a155974b6fd20559732ecac1608 SHA-256: d6c999e9279765f8924ed91422370193ea6ef856b2478513013bb3b75114f1c5
154 Risk Score

Malware Insights

The PDF sample contains multiple embedded JavaScript streams and triggers a critical heuristic for the CVE-2010-2883 Adobe Reader CoolType SING font exploit. The presence of JavaScript and the exploit indicate the document is designed to execute malicious code. The embedded JavaScript files are likely responsible for downloading and executing a secondary payload, contributing to the overall malicious intent of the document.

Heuristics 8

  • Adobe Reader CoolType SING font exploit — CVE-2010-2883 critical CVE likely CVE_2010_2883
    PDF embeds a TrueType/OpenType font with an actual SING table and pairs it with JavaScript heap-spray shellcode. This matches the public Adobe Reader CoolType SING exploit shape for CVE-2010-2883.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • ASCIIHexDecode filter (with exploit indicators) medium PDF_FILTER_HEX
    Hex-encoding filter present alongside exploit delivery indicators — often used to hide payload or shellcode bytes
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0029_000.js
26338b2a519acba0865d62cad26dcc8b2cb919eaeb84efbb8052360a7e30c7fe		 pdf-javascript-stream PDF /JS object 29 at offset 0x19141 19428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).
javascript_obj0038_001.js
2c0b66ec50073178ddc3de2aaf0627ef83819a8f71c118ff3b075b4bd82749fe		 pdf-javascript-stream PDF /JS object 38 at offset 0x1BA7 1242 bytes
javascript_obj0039_002.js
6925014a3c2c6b64ae3000282d91544e3f9bbc49b7fdc6b0421ea04d61e8240a		 pdf-javascript-stream PDF /JS object 39 at offset 0x2170 3698 bytes
javascript_obj0056_003.js
b35586f41dc9bb7f36829c9115c66a5e45a54a10033eeeda509eead818997470		 pdf-javascript-stream PDF /JS object 56 at offset 0x301E 1035 bytes
stream_004_off00000b11.bin
69e17a0038b9273e6d005ef52313a832cb41b9cf9713d6134d0cf9f2e59298a7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB11 434 bytes
font_00_sfnt_off00001177.bin
fc85f44193ccd402987935418c4f5fdf6802c96450b789e7fce04f9791933021		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1177 7965 bytes
font_01_sfnt_off00001928.bin
1e827515a464087cdace63e3578c118b45a657ed40cdbb9de7eead35c9b593ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1928 7965 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.