Malicious PDF — malware analysis report

Static analysis result for SHA-256 036ae23b29b7da47…

MALICIOUS

PDF

266.8 KB
MD5: 3f993af378694d3daaea533a08465a72 SHA-1: ff6b7b58bd86efe301a74d1ab4a13e2305eb50e8 SHA-256: 036ae23b29b7da478ba02533e8dc40dc045e8c642fc89001fe0145cdaf467e60
596 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

This PDF file is identified as malicious due to multiple critical heuristic firings indicating exploit activity. Specifically, it leverages JavaScript to trigger vulnerabilities such as CVE-2007-5659 (Collab.collectEmailInfo) and CVE-2009-4324 (media.newPlayer) within Adobe Reader. The embedded JavaScript is heavily obfuscated but appears designed to download and execute a secondary payload, as suggested by the generic stage recovery findings.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 14

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
zVGWPnPsl.swf
ae13437efad4e3a4f03cb0339d03b7d795966b217d30a540767c4ae26f402285		 pdf-embedded-file PDF EmbeddedFile object 16 at offset 0x146D 26774 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.
javascript_obj0006_000.js
ce44f38eb0f616818628376bcec99247a88e161a69539f804a0484c5f0b1d586		 pdf-javascript-stream PDF /JS object 6 at offset 0x13C 12116 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
generic_stage_recovery_000.js
53d58cc25aec57b8052c888d57d68cab5d69d1cf12daf6d1e603cc9929272ae8		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 6 at offset 0x13C 11997 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s). Carved artifact contains 3 long base64-like blob(s).
generic_stage_recovery_001.js
cb1d2ccadd76a58cfe71bc22f7b8f3d5f650c42515f9c85c05f2f9ad257f9c57		 deobfuscated-js generic stage recovery marker-XX-to-%u from JavaScript object 6 at offset 0x13C 11461 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
1162e8f2f7367d453d389fa6529f5821f6b2e8f33f65fc82963e0dc116a9fea5		 deobfuscated-js generic stage recovery marker-XX-to-%u from JavaScript object 6 at offset 0x13C 7783 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
7c7261ba17e4f02bfc97701d412ec6e6eba6fca17261ab4a3b164c30b226aa07		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-XX-to-%u from JavaScript object 6 at offset 0x13C 11342 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
8607be2bfbfb443eb107e790cc13f6020d6574426a7d50e920b9365e383dab3a		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-XX-to-%u from JavaScript object 6 at offset 0x13C 7664 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
polyglot_child_pdf_off000398e8.pdf
df9caa1a8a81c3c654c87afe8a643f4a27424e4bd52b96287571843eae27694e		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x398E8 37419 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35955
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.