Malicious PDF — malware analysis report

Static analysis result for SHA-256 04116f38e43ed101…

MALICIOUS

PDF

245.9 KB Created: 2010-03-11 09:29:56 Authoring application: Microsoft® Office Word 2007
MD5: 5e2c7159f474075e3a4db38676061937 SHA-1: 7ad4077325af29790653f606b666e99c13de87d4 SHA-256: 04116f38e43ed101013eea8b5c754cf8bde5dd969896bfb3578cb481c21e2b21
200 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that leverages CVE-2009-4324 and CVE-2008-2992 vulnerabilities. The JavaScript attempts to evaluate obfuscated code, which is a common technique for downloading and executing further malicious content. The presence of multiple benign URLs does not detract from the malicious nature indicated by the exploit firings and script.

Machine Learning

  • Nyx PDF Classifier clean score 0.0005

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ocsp.verisign.com0
    • http://crl.verisign.com/ThawteTimestampingCA.crl0
    • http://crl.verisign.com/tss-ca.crl0
    • http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O
    • http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
    • http://www.microsoft.com/typography

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
2e2c12d0a56301110d492546fc290c855b63e233573cf701d77eabd485f3646b		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
stream_005_off0001d870.bin
66c34e20538c4932652f097052124f46c08f37030a957adf6f4d15121c0111c5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D870 128236 bytes
stream_007_off0002b631.bin
aeaa941bb63d786fdd3f05549095a40c83ec8ad780833478b57711a7d342028e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2B631 133524 bytes
font_00_sfnt_off00019d53.bin
d1eec85bec696331346cee42e12b1aa96c372b765f7a4f732f0e3f40d8437f04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x19D53 64376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.