Malicious PDF — malware analysis report

Static analysis result for SHA-256 0354fe23c60e6810…

MALICIOUS

PDF

568.1 KB Created: 2008-01-05 16:25:50 +01:00 Authoring application: LaTeX with hyperref package (via pdfeTeX-1.21a)
MD5: ab12560f5a4af29560eef3ac633950f7 SHA-1: 0c3f337643ab3888ad99234fe8b014288f865826 SHA-256: 0354fe23c60e6810883d4b8cb74b65a02768eae238c9c27a93fef9cdf39bc5d2
212 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF exploits CVE-2011-2462 and CVE-2009-3459 related to the Adobe Reader 3D U3D parser. The embedded JavaScript performs a heap spray, a common technique used to prepare for exploitation. The script's primary function is to facilitate the execution of arbitrary code by leveraging these vulnerabilities, likely leading to the download of additional malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9894

Heuristics 8

  • Adobe Reader U3D parser exploit with JavaScript heap spray critical CVE likely CVE_2011_2462_U3D_HEAPSPRAY
    PDF combines U3D/3D annotation content with JavaScript heap-spray shellcode. Public CVE-2011-2462 exploit chains use a crafted U3D stream and JavaScript heap spray to control memory during Adobe Reader's U3D parser corruption.
  • Adobe Reader U3D auto-activated 3D annotation — CVE-2009-3459 critical CVE likely CVE_2009_3459_U3D_AUTOACTIVATE
    PDF contains a /Subtype /3D annotation that is configured to auto-activate on page view (/3DA <</A /PV /AIS /I>>) alongside a /U3D stream and JavaScript. This is the document shape used by CVE-2009-3459 (Adobe Reader U3D CLODProgressiveMeshDeclaration heap overflow, APSB09-15): the U3D parser runs without any user interaction once the page is rendered, while the accompanying JavaScript prepares a heap-spray to land controlled memory inside the corrupted allocation.
  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vcg.isti.cnr.it)/S/URI/Type/Action
    • http://meshlab.sourceforge.net)/S/URI/Type/Action
    • http://vcg.isti.cnr.it
    • http://meshlab.sourceforge.net
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0015_000.js
b1aa44f4b62d474640259e26224ed7345879053343648a220ae45c22d4af7091		 pdf-javascript-stream PDF /JS object 15 at offset 0x665 2575 bytes
stream_010_off00062b14.bin
b1f937b9541d599e1c6000c4c47f7f3f21a4d9b0e1051c8a5580e07bc6106afd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x62B14 177792 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.72, consistent with packed or encrypted content.
font_00_type1_off0005bf51.bin
d129a586d7449f3004ab2629e1b01753002037f8ca955d68339aba6fea13d9dd		 pdf-font-stream PDF embedded font (type1) at offset 0x5BF51 6428 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.55, consistent with packed or encrypted content.
font_01_type1_off0005d7ec.bin
6d68a200ddadd677e7031f9795a017ce42b4d7f02b68d39a072ecbc1e20fb5d6		 pdf-font-stream PDF embedded font (type1) at offset 0x5D7EC 7849 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.64, consistent with packed or encrypted content.
font_02_type1_off0005f6b8.bin
cab7a46a0f2b73639fc37aa221b515da6888b096748ee89dec2f4876e25f7f1f		 pdf-font-stream PDF embedded font (type1) at offset 0x5F6B8 2374 bytes
font_03_type1_off0005fea9.bin
f1d06dc0327817e03d778a88f65436557134c269106fbc5438dd4ef0c897a441		 pdf-font-stream PDF embedded font (type1) at offset 0x5FEA9 11287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.76, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.