PDF malware analysis — malicious · 093ab4448a5e6c7e

MALICIOUS

PDF

30.2 KB

MD5: 8af1667993a3ebb8587b6b874bd80d84 SHA-1: 09842f17cf368038a9b2a9a0c5de3d762d5cc747 SHA-256: 093ab4448a5e6c7e8c7de44dd2902ce8ba7c049631022fcc8f2a14d2515c4d1b

376 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains embedded JavaScript and a Flash RichMedia object, which are leveraged to exploit CVE-2010-1297. The embedded JavaScript, specifically the reconstructed string 'unescape', is used to deobfuscate and execute the exploit. The exploit targets a vulnerability in Adobe Flash Player, leading to the execution of a malicious payload, as indicated by the ClamAV detection 'Pdf.Exploit.Agent-35955' and the ML classifier.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 10

Adobe Flash authplay SWF exploit in PDF — CVE-2010-1297 critical CVE likely CVE_2010_1297_FLASH_RICHMEDIA

PDF combines RichMedia Flash activation, a crafted SWF with ActionScript prototype/AVM-era markers or the AES-PHP/authplay variant markers, and PDF-side shellcode heap-spray staging. This is the static delivery shape associated with CVE-2010-1297 in Adobe Reader's bundled authplay.dll.
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER

PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
ClamAV: Pdf.Exploit.Agent-35955 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-35955
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
RichMedia (Flash) high PDF_RICHMEDIA

PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`waEUHOXaQoR.swf` `c2b666a3ef4c191b77b78c037656e50477b8ba3d35fd61ae843a3a1f4d41c5c1`	pdf-embedded-file	PDF EmbeddedFile object 16 at offset 0xEDA	26774 bytes
Detection ClamAV: Pdf.Exploit.Agent-35955 Obfuscation or payload: likely Carved artifact entropy is 7.99, consistent with packed or encrypted content.
`javascript_obj0006_000.js` `09098d795b6489af6c83cc409271f692ef7f6a0ffaa33cd74896c89ff2d70b2f`	pdf-javascript-stream	PDF /JS object 6 at offset 0xEC	2751 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).
`javascript_obj0006_001.js` `e68ef9dd0306e3cd9439456ac1406de1c5e209d44a0885059c412175bbf77ef6`	pdf-javascript-stream	PDF /JS object 6 at offset 0x10C	30694 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.