Malicious PDF — malware analysis report

Static analysis result for SHA-256 042caea4bec0708a…

MALICIOUS

PDF

475.6 KB Created: ¹–ºwïŒMöàД¢¡*¨ Authoring application: »üÌþŒSq
MD5: 229582f8046c75814d247389caa6eee4 SHA-1: 710bce62d99ac0c138d8d5ba63c0432b8d9ffe5c SHA-256: 042caea4bec0708a54d4dabe766f8fcb93b9ac2266535578ebe3254d353b2053
298 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript that exploits CVE-2009-4324 (media.newPlayer) and CVE-2007-5659 (Collab.collectEmailInfo) to achieve code execution. The script is heavily obfuscated but appears designed to download and execute a secondary payload. The document also contains lures suggesting an advance-fee scam, which is a common social engineering tactic for malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8672

Heuristics 10

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://FIRE.IRS.gov
    • http://www.iec.ch

Extracted artifacts 13

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0099_000.js
8c557424c8f7fd10bc084d342877e62f58d9e1616c3fcd939202f1797212cadd		 pdf-javascript-stream PDF /JS object 99 at offset 0x2E7C 1735 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s).
font_00_cff_off00075869.bin
95fd7b0f339b37500fccbf3febb22c0f3521883c44ed409d06fc8f16974acf57		 pdf-font-stream PDF embedded font (cff) at offset 0x75869 358 bytes
icc_00_off0006c286.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x6C286 3144 bytes
font_00_cff_off0006f2aa.bin
af9a0ea514e5d14cb9f9ce2ff8c8c74283d4e52f3d715c8db0334b9f110d4204		 pdf-font-stream PDF embedded font (cff) at offset 0x6F2AA 4551 bytes
font_01_cff_off000701db.bin
73fa00c0a65e0652d245e073824e06180afe9a353f98fd47490d33b852209626		 pdf-font-stream PDF embedded font (cff) at offset 0x701DB 5512 bytes
font_02_cff_off00071427.bin
0cd528f6d4afa327c42f0eb38d0223a2dfb8a886d5c0b9113804c5598d3613db		 pdf-font-stream PDF embedded font (cff) at offset 0x71427 408 bytes
font_03_cff_off000715f1.bin
c1388a9f1c8aafcdabcfd4e4522cfe3fc0bbbdea9357d6cfab921102f9af0ebc		 pdf-font-stream PDF embedded font (cff) at offset 0x715F1 648 bytes
font_04_cff_off000718a5.bin
ea0cab021513592217cf5f5db1c9910922eb0e7fd6da66f6d5cb12ba981af8dd		 pdf-font-stream PDF embedded font (cff) at offset 0x718A5 3178 bytes
font_05_cff_off000723f2.bin
2b0fee13040236f96f5f6cd73a01bd99394a904ff63b623f37c901c76c7e9d6f		 pdf-font-stream PDF embedded font (cff) at offset 0x723F2 2807 bytes
font_06_cff_off00072e44.bin
61c861d5d4729ce5441ce91c091afee9dbbd829c3bccbf2b4e394578628d7775		 pdf-font-stream PDF embedded font (cff) at offset 0x72E44 231 bytes
font_07_cff_off00072f78.bin
7de340212c29a1eb8d59768b1b86273f2fa4a313f6422e31bca2b41190ab9a0f		 pdf-font-stream PDF embedded font (cff) at offset 0x72F78 5537 bytes
font_08_cff_off000743e8.bin
7ae397a32623b2988106246a4ec81e41af16b4da3c61b1093fff6754af7f15c4		 pdf-font-stream PDF embedded font (cff) at offset 0x743E8 358 bytes
font_09_cff_off000745a7.bin
90e410177cf7ae887be7bc8860c7eefd979251d21da545303af1af8ab1e30f1f		 pdf-font-stream PDF embedded font (cff) at offset 0x745A7 499 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.