Malicious PDF — malware analysis report

Static analysis result for SHA-256 06e8648f2b765b50…

MALICIOUS

PDF

385.2 KB Created: 2010-03-08 18:08:53 Authoring application: PDF Editor  - Foxit Software
MD5: b8970bcc41dfbc6f1b98354b3f3a23bc SHA-1: 175ae8a1e9e58ce6b676d5969f65cead0dc00c11 SHA-256: 06e8648f2b765b504f26b7e154388a25882fc91565664bdf6531d8cb721e1c3b
240 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript and exploits for CVE-2009-4324 and CVE-2008-2992, indicating it's designed to execute arbitrary code. The JavaScript appears to be obfuscated and attempts to evaluate a large string, which is characteristic of downloaders or exploit loaders. The presence of a secondary embedded PDF with suspicious findings further supports a multi-stage attack.

Machine Learning

  • Nyx PDF Classifier clean score 0.2125

Heuristics 8

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • Secondary embedded PDF body has suspicious static findings high POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
66f9d67b08ee61fa0b21f0072b9934a745d388290758f18b651bf361947bedf5		 pdf-javascript-stream PDF /JS object 6 at offset 0x18B 6603 bytes
stream_002_off00038133.bin
781e1d57bd8ffa5d8d8c977124f728039d12de673138f6cd53b2cf4cee608fa6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x38133 709500 bytes
polyglot_child_pdf_off00038023.pdf
3a702c3eecc75d8e530d914d0af0c75bdadf68c44ad8d50f3670274c421cb367		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x38023 165070 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.