PDF malware analysis — malicious · e3366fd2b4ff4858

MALICIOUS

PDF

168.9 KB

MD5: c06ef052db6710fd632952cc14917d84 SHA-1: 1bde4386ac5342f52b9f9be4b48585e2b9404e1c SHA-256: e3366fd2b4ff485840c147ea2eb811e793616a5a8bb2e1abfb4d37a03e53d774

138 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File T1566.001 Spearphishing Attachment T1204 User Execution: Malicious File

The sample is a PDF document that exploits CVE-2010-0188, a known vulnerability in Adobe Reader related to LibTIFF XFA image handling. ClamAV also detected it as Pdf.Dropper.Agent-5327070-0. The embedded file and exploit indicate the primary purpose is to deliver and execute a secondary payload.

Heuristics 5

Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188

PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
ClamAV: Pdf.Dropper.Agent-5327070-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-5327070-0
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
XFA form low PDF_XFA

PDF uses XML Forms Architecture — can contain script logic
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED

The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`embedded_file_obj0001.bin` `4039e9c998334ff031d82f5ca110045c516b3c5ea8785535b9ad33d41166a47b`	pdf-embedded-file	PDF EmbeddedFile object 1 at offset 0x4F	13560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.