Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe156310e5da881f…

MALICIOUS

PDF

17.73 MB
MD5: 560f15b3ce797f617a37a60112b27bed SHA-1: 9c9de0a4300a7843b0ae783c320ad9261e70ec81 SHA-256: fe156310e5da881fc721c4478856757efa3bfef8b82f48f89bacc104a006f733
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and exhibits characteristics indicative of the CVE-2010-0188 exploit, specifically related to CCITTFaxDecode and XFA. The high number of streams suggests obfuscation or heap spraying techniques. The embedded JavaScript is likely responsible for triggering the exploit and executing a malicious payload.

Heuristics 5

  • CCITTFaxDecode + TIFF/XFA exploit prep — LibTIFF CVE-family indicator high CVE related PDF_CCITT_CVE_2010_0188_RELATED
    PDF uses /CCITTFaxDecode together with TIFF/XFA exploit-preparation markers such as rawValue image-field assignment, TIFF data, or heap-spray JavaScript. This matches the delivery pattern for Adobe Reader LibTIFF/CCITTFax parser exploit families, including CVE-2010-0188, but does not prove the exact malformed TIFF primitive.
  • Unusually high stream count medium PDF_MANY_STREAMS
    PDF contains 501+ stream objects — may indicate heap spray or heavy obfuscation
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/exif/1.0/

Extracted artifacts 12

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objstm_16769_00.bin
fff3b4fe963565b189b5b6906bb4ea4434237046a0f3f5d9e2a8aa23f1243877		 pdf-objstm-decoded PDF /ObjStm 16769 0 obj (inflated) 21607 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 long base64-like blob(s).
objstm_16815_00.bin
75230c4a463d5ae453c798ffc6ece7ab51da618c134d237c6df81b4e5c576e4e		 pdf-objstm-decoded PDF /ObjStm 16815 0 obj (inflated) 19856 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 long base64-like blob(s).
objstm_16816_00.bin
382f53399b35652f0b4f7a1e7ce812053bef5160e2932a967820d18a28878d08		 pdf-objstm-decoded PDF /ObjStm 16816 0 obj (inflated) 23435 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 23 long base64-like blob(s).
objstm_16817_00.bin
a5a7d0aa1cdd8539eb687d838a3d09a0fa4d5fb5682cb1d4d97248cd5668f6e8		 pdf-objstm-decoded PDF /ObjStm 16817 0 obj (inflated) 23312 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 26 long base64-like blob(s).
icc_00_off000c4c95.icc
3f6d674174f3804eb0dabdac90ae17486e898c5063a66f861c116ea033da8301		 pdf-icc-profile PDF ICC profile at offset 0xC4C95 3144 bytes
icc_01_off0022da81.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x22DA81 3144 bytes
icc_02_off010f94a9.icc
4855b8fabb96bdc6495d45d089bb8c8efb1ae18389e0dc9e75a5f701a9c0b662		 pdf-icc-profile PDF ICC profile at offset 0x10F94A9 557168 bytes
font_00_cff_off0118edc7.bin
98217069ea6f8339e3bda5f1a09f1b81e796fbe14d5d15f83749324d81494ef8		 pdf-font-stream PDF embedded font (cff) at offset 0x118EDC7 1014 bytes
font_01_cff_off0118f212.bin
05ec1e8e79809cd88aa55b1ddf72913342c3dbc22952f7096da65de7d84168fb		 pdf-font-stream PDF embedded font (cff) at offset 0x118F212 2797 bytes
font_02_cff_off0118fb13.bin
fc0761a66e4fbcc63d92e103099e4bf6763d249579fbdfa79e00bb75a486e140		 pdf-font-stream PDF embedded font (cff) at offset 0x118FB13 865 bytes
font_03_cff_off0118feb0.bin
76c12ad8beeeed6ffc8edbd91d07c3f3a0a3ce35e8577192aea0e3a70478808b		 pdf-font-stream PDF embedded font (cff) at offset 0x118FEB0 864 bytes
font_04_cff_off01190267.bin
937783e48a589fb77121464393a21ad9b539c8b8b9255f94ac0c30fa2a7ce9fc		 pdf-font-stream PDF embedded font (cff) at offset 0x1190267 193128 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.49, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.