Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0e6d3eb05bfcb2e…

MALICIOUS

PDF

99.6 KB
MD5: 451f076d0a4c6a646e1a52ed4aad18c5 SHA-1: 6b2f2db811879e96e8559c80d2fee73dfe9c739a SHA-256: e0e6d3eb05bfcb2e3a5e0f01cb75cda8379f9c8528c43cf4406d2d72ac26db18
136 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: Malicious PDF T1059.001 Command and Scripting Interpreter: PowerShell

The sample is a PDF file that exploits CVE-2010-0188, a known vulnerability in Adobe Reader related to XFA forms. The critical heuristic firing indicates the exploit payload was decoded from a raw stream. The presence of embedded script payloads and XFA forms with executable scripts further supports the malicious nature. The attack pattern is likely to involve tricking the user into opening the PDF, which then exploits the vulnerability to download and execute a secondary payload.

Heuristics 6

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains the CVE-2010-0188 exploit template: XFA JavaScript heap-spray setup, a generated TIFF image payload, and assignment of that TIFF data to an XFA image field rawValue to trigger Adobe Reader's LibTIFF parser.
  • XFA form contains executable script high CVE related PDF_XFA_SCRIPT
    PDF embeds an XFA form whose dataset contains a <script> or <xfa:script> block — XFA scripting has been the exploit primitive for several Adobe Reader RCEs (CVE-2010-0188 family, CVE-2018-4901, and others). Plain XFA without scripts is far less risky.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ns.adobe.com/xdp/
    • http://www.xfa.org/schema/xfa-template/2.5/
    • http://www.xfa.org/schema/xfa-data/1.0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0008.bin
1cde0d3b456768e6c806a547666f64bfd3195fe72be8d1b0f1c53804425f41d2		 pdf-embedded-file PDF EmbeddedFile object 8 at offset 0xC6 101198 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.