Malicious PDF — malware analysis report

Static analysis result for SHA-256 dffdf0206ebd428a…

MALICIOUS

PDF

1.74 MB Created: 2010-03-04 18:02:04 +08:00 Authoring application: Adobe LiveCycle Designer ES 8.2
MD5: 4058e4b65f0cbf01d9d4b5ad7d173721 SHA-1: 7a8c5368db7f3d661374037beec8d47cd6e1c851 SHA-256: dffdf0206ebd428ade934c4d61fa549f17d2d2c906f643012f2374af1be60a7b
222 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The sample is a PDF file that exploits the CVE-2010-0188 vulnerability in Adobe Reader. It contains embedded JavaScript and XFA forms, indicating an attempt to execute malicious code. The embedded scripts are likely responsible for downloading and executing a second-stage payload. The presence of multiple embedded files and scripts points towards a downloader or dropper functionality.

Heuristics 11

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.datanumen.com/apdfr/
    • http://www.xfa.org/schema/xfa-template/2.5/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0007.bin
4a60a9864cdf7382475d51051a03fdc43b32c31eb508893ccfccece34957f9f1		 pdf-embedded-file PDF EmbeddedFile object 7 at offset 0x7988 56 bytes
embedded_file_obj0008.bin
2ebdd7efeaa1190ff6bad8cbd649b313e3969564018f204e7385b97c2fab1e19		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0x7A27 80 bytes
embedded_file_obj0009.bin
5a1ae56b5d79992962cd7a2b90c8a3c925b39e9e9c053cec9dd39fcaabb79b0b		 pdf-embedded-file PDF EmbeddedFile object 9 at offset 0x7ADA 1533 bytes
embedded_file_obj0010.bin
c6f641b94e3ae73b7ddd9d5d3b8ce05e7497e1b6e0c8f3d84a6934d0ae9aada2		 pdf-embedded-file PDF EmbeddedFile object 10 at offset 0x7DA2 142 bytes
embedded_file_obj0011.bin
500856001a9edb17a299f41c8b34871c12c85d56ec8eff03ef181fca24bb96b5		 pdf-embedded-file PDF EmbeddedFile object 11 at offset 0x7E74 200 bytes
embedded_file_obj0012.bin
560dcced2df6f65386a395771a4721a00980be4d89cc752639746882322da5c3		 pdf-embedded-file PDF EmbeddedFile object 12 at offset 0x7F71 2518 bytes
embedded_file_obj0014.bin
d7fa0bb4b440be27b73f2789111f5954ee699800ac09075cce38842f26f68454		 pdf-embedded-file PDF EmbeddedFile object 14 at offset 0xE31C 1610 bytes
embedded_file_obj0015.bin
73b89e1b97ed7e13506f21b0d6775a3b571f827a570db26ffc730d2694d01cc2		 pdf-embedded-file PDF EmbeddedFile object 15 at offset 0xE632 163 bytes
stream_013_off0000fdc1.js
91ea259764c68d27b8981a339c02d8ea92224ae5c0d0cd0a7c8f3d645d599090		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFDC1 902 bytes
stream_014_off0000ff20.js
f8721569904600df33f536ddc9f4942717077f9d6c3c4253a8f4de5650fc6531		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFF20 1367 bytes
embedded_pdf_script_000084a4.bin
c2a2eaac76aa990e4ff455da90ea7e83bdc0e6ab33e0065f161cdf74abfb2ba4		 pdf-embedded-script PDF raw stream script payload at offset 0x84A4 24647 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off00000569.bin
3a47365ba29be93b97be381e34ec3c7ef0a10e0f82cdb3dadd6fb11f2800fdb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x569 36717 bytes
polyglot_child_pdf_off001ac745.pdf
8e9584f5a3b60e4cfabdbf97fdf6f06d2b5159f7d6bd16799568590777b48553		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x1AC745 67385 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.