Malicious PDF — malware analysis report

Static analysis result for SHA-256 f62d01827e3504a3…

MALICIOUS

PDF

1.07 MB Created: 2008-02-19 15:01:00 +01:00 Authoring application: Adobe Designer 7.0
MD5: 6bec54ef5876cdab33c467e2f348b26f SHA-1: c9e23d89ba57110979dbaeadeb8f398f18f83fe1 SHA-256: f62d01827e3504a37ee6628999bb75370b2e342de9ec0f2c03cbceb958bfa44a
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious File T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF file contains embedded JavaScript and is flagged for exploiting CVE-2010-0188, a vulnerability in Adobe Reader related to XFA forms. This indicates the document is designed to deliver a malicious payload upon opening. No specific malware family was identified, but the exploit suggests a targeted attack or a widely distributed exploit document.

Heuristics 8

  • Adobe Reader LibTIFF XFA image exploit — CVE-2010-0188 critical CVE likely CVE_2010_0188
    PDF contains XFA image data with an inline crafted TIFF payload and shellcode/delivery markers. This is the data-bound variant of the CVE-2010-0188 Adobe Reader LibTIFF/XFA exploit shape.
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • XFA form low PDF_XFA
    PDF uses XML Forms Architecture — can contain script logic
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_file_obj0822.bin
c06dcd026a7ea0536b63e07ce688691b585339a3ab7ff59065e546b56308c7bb		 pdf-embedded-file PDF EmbeddedFile object 822 at offset 0xCD97D 85 bytes
embedded_file_obj0823.bin
72fb19c4f1433a29eb816fa2643b0fda2801e58bb4de3d6c6a7d530563da8bac		 pdf-embedded-file PDF EmbeddedFile object 823 at offset 0xCDA30 2286 bytes
embedded_file_obj0824.bin
e94599090058f658d1782e8fa0f6a1ea9eb231b29202ac26f117a53609537db0		 pdf-embedded-file PDF EmbeddedFile object 824 at offset 0xCDDC9 323584 bytes
embedded_file_obj0825.bin
c111ab7ed08efa2f582b38e24dd8e7af547a1cabc5012f0ed20fb43a368dabc5		 pdf-embedded-file PDF EmbeddedFile object 825 at offset 0xEF60E 3070 bytes
embedded_file_obj0826.bin
57045217c453d4674a08ad8778674bf199a7989a9505424a1815c016e6bb412f		 pdf-embedded-file PDF EmbeddedFile object 826 at offset 0xEF89F 212 bytes
embedded_file_obj0827.bin
b5c80aaca30b5ad1a78f82136b95d90b2b5bd955322f2292dd939f9e53766f15		 pdf-embedded-file PDF EmbeddedFile object 827 at offset 0xEF997 724 bytes
embedded_file_obj0828.bin
a60265344cf1a9e94da34c8f587f64a4297e2fa417c895852209903ab7588bcc		 pdf-embedded-file PDF EmbeddedFile object 828 at offset 0xEFB7A 85 bytes
javascript_obj0814_000.js
4a1aca004cf20431c9a66dce85404a6411a54d881a6c257882260ffc972a13eb		 pdf-javascript-stream PDF /JS object 814 at offset 0xCD1F6 870 bytes
javascript_obj0816_001.js
4e139c8b22ec16bd5aa51575c80dec2bbf89b76977a06b68473031a0eb206366		 pdf-javascript-stream PDF /JS object 816 at offset 0xCD37D 2794 bytes
javascript_obj0818_002.js
c876171bd867b66b7671fb337ff9e57d18cd15b43d344cf5a7243821300a408a		 pdf-javascript-stream PDF /JS object 818 at offset 0xCD66F 1528 bytes
stream_006_off00002f92.bin
4735e29f6b4dfaae31ceba3a66c7548a579b3b0ad8f9ec68bc6e90b0597d7de3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2F92 308015 bytes
stream_014_off0006adea.bin
64082d40d3cdc1067fa248dd1ffcfce08f00554bd2adca2ed59375761244c428		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6ADEA 222774 bytes
stream_038_off000efc90.bin
0729704c7e8dc2680aa8450eb31b84c01d79d5aa49fde8bdf24dfaacc6e51a3d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEFC90 505386 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.