PDF malware analysis — malicious · 00f6a90715e0da83

MALICIOUS

PDF

507.0 KB

MD5: 27111c4b2264a613a2f0503abfa6748b SHA-1: 2638753f0a7e33072c84d2cc871e3878b21f72bb SHA-256: 00f6a90715e0da83387960a7e58b05df4d348d5fc1e3684e99accd3be4a6964e

266 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript that triggers an exploit targeting CVE-2009-0927 via the Collab.getIcon method. This exploit cluster is known to facilitate arbitrary code execution within the PDF viewer. The ML classifier and ClamAV detection strongly indicate malicious intent, likely to download and execute a secondary payload.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 6

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.CVE_2009_0927-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.CVE_2009_0927-1
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.