Malicious PDF — malware analysis report

Static analysis result for SHA-256 016748fbc6459a9d…

MALICIOUS

PDF

159.8 KB Created: ÁÄWˤœk›ýЛ ©öY Authoring application: î!½µœu•
MD5: 4f7dedabce3aceab7e8caf5c833c4583 SHA-1: 8681a86954de47ae7a85b0f3315223a966a30d21 SHA-256: 016748fbc6459a9df929e6474804f0d4a60bbbd44ee0c546fb8135754143d02a
180 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Attachment T1566.002 Phishing: Spearphishing Attachment T1059.007 Command and Scripting Interpreter: JavaScript

The PDF is encrypted and contains JavaScript, indicating an attempt to obscure malicious content. Critical heuristics identify exploitation of CVE-2009-4324 (media.newPlayer) and CVE-2007-5659 (Collab.collectEmailInfo), which are commonly used to trigger embedded JavaScript. The extracted JavaScript attempts to exploit these vulnerabilities to download and execute further payloads, as evidenced by the use of `this.media.newPlayer(null)` and `this.collabStore = Collab.collectEmailInfo(...)` with obfuscated data.

Machine Learning

  • Nyx PDF Classifier suspicious score 0.3422

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ptg.djnr.com/ccroot/asp/
    • http://www.oneworld.org/ombudsman
    • http://www.sphereproject.org/
    • http://www.odi.org.uk/hpg/papers/
    • http://www.odi.org.uk/hpg/papers/hpgreport11.pdf
    • http://www.oecd.org/pdf/
    • http://www.usaid.gov/hum_response/
    • http://www.usaid.gov/
    • http://www.unisdr.org/unisdr/
    • http://www.colorado.edu/
    • http://www.wfp.org/eb/docs/

Extracted artifacts 16

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0022_000.js
95dc03da728aeeb8dbeb60fea450273e044e3aba5f9b1c5bf6bebea0ae48ce49		 pdf-javascript-stream PDF /JS object 22 at offset 0xCB0 1735 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
font_00_cff_off00017f1e.bin
3e225972f2f442cc558b4bba18a9537c61258285f53dc0d8a4ec4238a7d7d5e2		 pdf-font-stream PDF embedded font (cff) at offset 0x17F1E 10136 bytes
font_01_cff_off00019f9b.bin
caa8414d4d6a740a345fbfe0b27c1a3eddeadf32cbe2427ed2c56e4cf996591f		 pdf-font-stream PDF embedded font (cff) at offset 0x19F9B 2578 bytes
font_02_cff_off0001a836.bin
c91abfcd3930336bc9594d9ec4d4d405309d940bbe7c0b4bcdc58db7d67df1a8		 pdf-font-stream PDF embedded font (cff) at offset 0x1A836 2185 bytes
font_03_cff_off0001aff5.bin
9180615f519a789f0380bd432ad29e2fff1be820167bd8d00d78b83399174ca8		 pdf-font-stream PDF embedded font (cff) at offset 0x1AFF5 10692 bytes
font_04_cff_off0001d208.bin
f81ee67c5fce16e6ba3a333ffaf42985de022c64bb8daa8a48bfa583dc052df0		 pdf-font-stream PDF embedded font (cff) at offset 0x1D208 3014 bytes
font_05_cff_off0001dce5.bin
ca23c254b220dddbb7afb700270c4bd531662aab19563b87acb4203df8520c58		 pdf-font-stream PDF embedded font (cff) at offset 0x1DCE5 4130 bytes
font_06_cff_off0001eaab.bin
76ebd59fe61d537b4ae226c79699cf6474c3e15b1423a2867c3313d9b6fd3489		 pdf-font-stream PDF embedded font (cff) at offset 0x1EAAB 7020 bytes
font_07_cff_off00020280.bin
72355e3f5ff7b22a9e8c2b720b38d32c8aa0fcafc08f31ac505742da69d949ea		 pdf-font-stream PDF embedded font (cff) at offset 0x20280 8403 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_08_cff_off00022051.bin
01d51e03ecada53bc3fbd0536b360da03a3522badaf6b24d6a357da0351803e5		 pdf-font-stream PDF embedded font (cff) at offset 0x22051 788 bytes
font_09_cff_off00022391.bin
6642d40803290084f4ec5deb7108729bee820816f63746d0c419fb7a31a8347e		 pdf-font-stream PDF embedded font (cff) at offset 0x22391 4739 bytes
font_10_cff_off0002331b.bin
b5ddef935591a23433aa952b1a6ac21a11db3b2912fcbd36e7650ea9ae29771f		 pdf-font-stream PDF embedded font (cff) at offset 0x2331B 3636 bytes
font_11_cff_off00023f8b.bin
8ee9cf70904eecc8cc4bd87f02301c1308a36af4c606ec011c0d428ed390bcae		 pdf-font-stream PDF embedded font (cff) at offset 0x23F8B 2996 bytes
font_12_cff_off000249ae.bin
6bbdbd8538a659407204012184942e4f20a1e81cc455a0324f0890fe9d556a58		 pdf-font-stream PDF embedded font (cff) at offset 0x249AE 2643 bytes
font_13_cff_off0002527a.bin
fa3a824eea5cd1e5b135b04424e01bc3c09285102dde7c294ce49c4b50818219		 pdf-font-stream PDF embedded font (cff) at offset 0x2527A 4175 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_14_cff_off0002622c.bin
4df1ee7e39dbb7f7afd5347e16f00207144c623a07f16e798a163ce1af61a6bf		 pdf-font-stream PDF embedded font (cff) at offset 0x2622C 3157 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.