{ "Event": { "analysis": "1", "date": "2026-04-09", "extends_uuid": "", "info": "[Threat Intel] Adobe Reader 0-day", "protected": false, "publish_timestamp": "1776462988", "published": true, "threat_level_id": "1", "timestamp": "1776462988", "uuid": "8f60fa7d-5a5f-46b1-8fc0-cf9eed3fd2d6", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Vulnerabilities - T1588.006\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:producer=\"Sophos\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"vulnerability\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#150052", "local": false, "name": "rectifyq:sub-category=\"zero-day\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776135633", "to_ids": false, "type": "text", "uuid": "b080f314-668a-470a-bc3f-c7360cd38917", "value": "On April 7, 2026, a security researcher described an Adobe Reader zero-day vulnerability that has been exploited since at least December 2025. The vulnerability allows threat actors to execute privileged Acrobat APIs via specially crafted malicious PDF files that execute obfuscated JavaScript when opened. Exploitation allows attackers to steal sensitive user and system data and to potentially launch additional attacks and remotely execute code. Recommendations: Reduce the risk by automatically scanning PDF email attachments, blocking suspicious files, training users to be wary of unsolicited attachments, and advising users to temporarily avoid using Adobe Reader to open PDFs. Reference: https://www.sophos.com/en-us/blog/adobe-reader-zero-day-vulnerability-in-active-exploitation" }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776135633", "to_ids": false, "type": "text", "uuid": "6e1ae951-e128-4cae-ae90-a5e00e1fd3df", "value": "Name: Adobe Reader 0-day\nAuthor: AlienVault\nAdversary: \nTags: [\"adobe reader\", \"0-day\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1588.006\"]\nIndustries: []" }, { "category": "Network activity", "comment": "C2 server in Adobe Reader attacks", "deleted": false, "disable_correlation": false, "timestamp": "1776401835", "to_ids": true, "type": "ip-dst", "uuid": "fce3ff99-964a-4a26-a206-d268865ec981", "value": "169.40.2.68", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 server in Adobe Reader attacks", "deleted": false, "disable_correlation": false, "timestamp": "1776401857", "to_ids": true, "type": "ip-dst", "uuid": "70728901-5265-4d73-a594-a7576426dc99", "value": "188.214.34.20", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 server in Adobe Reader attacks", "deleted": false, "disable_correlation": false, "timestamp": "1776401878", "to_ids": true, "type": "domain", "uuid": "fa852e89-a9f8-47a7-a8ef-9d7acf48a542", "value": "ado-read-parser.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776356215", "to_ids": false, "type": "link", "uuid": "247131de-0bd1-4769-ab1d-6d8b80290d3d", "value": "https://www.sophos.com/en-us/blog/adobe-reader-zero-day-vulnerability-in-active-exploitation" }, { "category": "Network activity", "comment": "On port 45191", "deleted": false, "disable_correlation": false, "timestamp": "1776356283", "to_ids": true, "type": "ip-dst|port", "uuid": "8c09b7d1-ad16-4f34-9599-667440aa1d40", "value": "169.40.2.68|45191" }, { "category": "Network activity", "comment": "On port 34123", "deleted": false, "disable_correlation": false, "timestamp": "1776356283", "to_ids": true, "type": "ip-dst|port", "uuid": "ac4eb820-e80c-452b-b32b-2d91c97ad1f6", "value": "188.214.34.20|34123" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776401899", "uuid": "748b0672-5e4a-4673-8ed2-3da91bba3067", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776401899", "to_ids": true, "type": "md5", "uuid": "d4db4001-d3e7-4622-9ac6-4cf2efbf4556", "value": "1929da3ef904efb8c940679045452321", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399320", "to_ids": true, "type": "sha1", "uuid": "e975ca51-8f76-4f40-9756-3c8510da554a", "value": "7f3c6f97612dd0a018797f99fad4df754e5feb35", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399320", "to_ids": true, "type": "sha256", "uuid": "95e65009-d90c-456b-b1a4-087f6e044fa9", "value": "65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398302", "to_ids": true, "type": "ssdeep", "uuid": "debd7e20-2fa2-48f1-a1be-5c33879a640d", "value": "6144:CtaMPYpAgn9K1qwMRGQmtGBSMJy4LfTVwlW:5UIf/fmgFlW8" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398302", "to_ids": false, "type": "size-in-bytes", "uuid": "620acc6c-1197-4ba9-865e-96bce6db0ec6", "value": "254698" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398302", "to_ids": true, "type": "vhash", "uuid": "2de00b1f-9961-4695-a4cd-6267c7cfe34a", "value": "99f75c36e069b669914fdec2a2bcf6207" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398302", "to_ids": true, "type": "filename", "uuid": "8283eefb-a5be-487c-83e8-8c45b2c0dadb", "value": "65dca34b04416f9a113f09718cbe51e11fd58e7287b7863e37f393ed4d25dde7_2026_exploit" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398302", "to_ids": false, "type": "text", "uuid": "050d5adc-0ca4-423f-8ec4-c62e7fab8471", "value": "Malicious PDF sample in Adobe Reader attacks (yummy_adobe_exploit_uwu.pdf)\r\nType Description: PDF\nMicrosoft: Trojan:PDF/Stealer!MSR\nVT Total Detection:40/64\nFirst Submission:2026-03-23T12:05:37.000000+00:00\nLast Submission:2026-04-16T06:36:20.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1776401920", "uuid": "07e8db66-4091-475c-815f-6c75c98b15cc", "Attribute": [ { "category": "Payload delivery", "comment": "Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1776401920", "to_ids": true, "type": "md5", "uuid": "d6bd3a91-0db6-442b-9a51-59b138ddbb02", "value": "522cda0c18b410daa033dc66c48eb75a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1776399321", "to_ids": true, "type": "sha1", "uuid": "ed0b73f5-2c52-4e93-b887-ee4a2c04bcd8", "value": "dafd571da1df72fb53bcd250e8b901103b51d6e4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1776399321", "to_ids": true, "type": "sha256", "uuid": "89b8f159-5c8d-4c04-bf20-547a9cada423", "value": "54077a5b15638e354fa02318623775b7a1cc0e8c21e59bcbab333035369e377f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1776398324", "to_ids": true, "type": "ssdeep", "uuid": "97b3d9f9-a73b-4463-8160-f8ae540f831b", "value": "6144:JeSqETXrhj1xWuSpMRdZKoEWmyduMPWG73E/eN2zpf6O:JeSqA5WGZKv3eOiO" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1776398324", "to_ids": false, "type": "size-in-bytes", "uuid": "67789b65-4a1a-42cf-95b6-9e6260074823", "value": "320066" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1776398324", "to_ids": true, "type": "vhash", "uuid": "0e2f3a2d-3f99-49a8-b249-262633575dd3", "value": "9ea8b9bb3a319944b52d397da42536ca6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1776398324", "to_ids": true, "type": "filename", "uuid": "cf723521-cd04-4de7-89ca-ffb7c93e1854", "value": "522cda0c18b410daa033dc66c48eb75a.pdf" }, { "category": "Other", "comment": "Checked: 17/04/2026\nLast-scan\t: 16/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1776398324", "to_ids": false, "type": "text", "uuid": "f3820a3b-f93e-420e-830d-4da77c760ada", "value": "Malicious PDF lure in Adobe Reader attacks (Invoice540.pdf)\r\nType Description: PDF\nMicrosoft: Trojan:JS/Obfuse.GXFG!MTB\nVT Total Detection:39/64\nFirst Submission:2025-11-28T10:12:49.000000+00:00\nLast Submission:2026-04-16T06:12:05.000000+00:00" } ] } ] } }