Malicious PDF — malware analysis report

Static analysis result for SHA-256 db815352998017cc…

MALICIOUS

PDF

397.6 KB Created: 2010-03-26 13:59:58 +09:00 Authoring application: ezPDF Builder 2006
MD5: 5abdc7504d26f6a506a81616e5e28299 SHA-1: e2eb09a4162b4074b6c4a8cf9dda7033cf7b6145 SHA-256: db815352998017cceb86e601024342f1dd0ee4688160ce00c9b7a96dc004cb58
160 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.001 PowerShell

The PDF file contains an embedded exploit targeting CVE-2010-0188, a vulnerability in Adobe Reader related to LibTIFF processing. This exploit is designed to achieve arbitrary code execution. The presence of an embedded file and a secondary PDF further suggests a multi-stage attack. The document body is heavily obfuscated and unreadable, providing no direct clues about the lure.

Heuristics 8

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/iX/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0001.bin
5a479ff2881cc991bf2f5e5dffd9080c2332683563d973d5bbbbddf0f58331ed		 pdf-embedded-file PDF EmbeddedFile object 1 at offset 0x51 13430 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
font_00_sfnt_off0003c1e7.bin
e6cd24806a9b3738bd0b9a4b95e739d3cb77d17506289a09f10e86cee2b02734		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C1E7 323208 bytes
font_01_sfnt_off00046b5f.bin
58e6fb68328f65295a57d64e6fe622be785327525ccf35e58283661ddde6123f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46B5F 504052 bytes
font_02_sfnt_off0005a054.bin
85f76fcc4c481925802efbe6b3be6b3daff0851b7332bb1166ce9f36904e4a86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A054 43968 bytes
font_03_sfnt_off0005eb4c.bin
cb17b532afb8b4a6a60f68a81b0adc830f9c2de57272beb97754948fc7d53531		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EB4C 41664 bytes
polyglot_child_pdf_off0000d27f.pdf
f7b91fdcee6cef35a8b84ebc19ff946c926f846faaba8216c0938b91c7f7fba9		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xD27F 353298 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.