MALICIOUS
110
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file contains embedded JavaScript, which is triggered by the CVE-2008-2992 exploit targeting the util.printf function. The JavaScript code appears to be obfuscated and attempts to construct a payload from various encoded strings. The primary script uses util.printf with a large number, likely as part of an exploit primitive. The overall goal is to execute arbitrary code, typical of a downloader or initial access exploit.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 5
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILEDThe cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 32
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0006_000.js4a322e8aa69dcd458d0f868e8c05d66ba617461f8044c99565f16f54f55c0b5b |
pdf-javascript-stream | PDF /JS object 6 at offset 0x14C | 347 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 long base64-like blob(s).
|
|||
javascript_obj0010_001.jsced21ba5316e703dcad7ca1793300a5392536fcebbaed0a5db51c128c5adc6c4 |
pdf-javascript-stream | PDF /JS object 10 at offset 0x36C2 | 57 bytes |
javascript_obj0011_002.jsdef587c9717c1dd6934cd34b92d6c2ba1ee0c8911d2b7897896abe22bdeea602 |
pdf-javascript-stream | PDF /JS object 11 at offset 0x3739 | 110 bytes |
javascript_obj0012_003.js7debab98805fa1b40d4939be6c0ad091f52b828e3bcd6d6ecdd76cb6780cc5f5 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 34 bytes |
javascript_obj0012_004.js10e2122463d32d3fdc5d90ebf350a7b508fcf749a0e46f1cb424f17fe4900aee |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 82 bytes |
javascript_obj0012_005.js5dbd0380a265a1fd37775749ac16703c4478f4e4f66d9479c8a392fe1d57b998 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 46 bytes |
javascript_obj0012_006.jsef7d3793f7c404a28ad3175c4f825d4bc665d73a90bf5625945c85bab9fa46f9 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 119 bytes |
javascript_obj0012_007.jsfc51ad3a274c63aadd4279016de3a55559f183f1e56935f3e0bd2cf4939d0c99 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 269 bytes |
javascript_obj0012_008.js256700ca2997d7b2bfd79d96991a314eed4693de21ff4f6ac99282a8bfbede92 |
pdf-javascript-stream | PDF /JS object 12 at offset 0x37E1 | 407 bytes |
javascript_obj0020_009.js7f280c444be81bc17d3e91d6d0879a3654604f39a2a67cad81a7761ee6b85388 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 62 bytes |
javascript_obj0020_011.js068ccfb3ea4bbea10731535d92db8f4fcbfedeedb9a8fbf12eb4fa08de1e468e |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 79 bytes |
javascript_obj0020_012.js194667b938393742246d7044a7c0a104f71a9f00c390c7e6092c714588fb6290 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 39 bytes |
javascript_obj0020_015.js1334006ab93e457c7f04928c69153d703f80fe85efe70f3b046f394756608c66 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 43 bytes |
javascript_obj0020_016.js4cec8204fc3deea8ed1ce434a68f35c3f2615471d055f1137057d88857a12a65 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 190 bytes |
javascript_obj0020_017.js6b6b714d3c4be186634ad3afcbbd50285bd1806e674048cf4452b311a619ff6b |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 144 bytes |
javascript_obj0020_018.jsa6ff48ec2b5f73a5aa4b45572fd63604917f767db28d4dbbd4b3ed910c6e6193 |
pdf-javascript-stream | PDF /JS object 20 at offset 0x3BAA | 485 bytes |
javascript_obj0030_019.jsf8051377a1b673a76637e98a6bbc2ab71a78620e8fad79116845a11db819f78b |
pdf-javascript-stream | PDF /JS object 30 at offset 0x40B2 | 91 bytes |
javascript_obj0031_020.js37c1ae711b6bbaaac807743423b5e01873fef411dd91bfcf53d9244f72eeb0fb |
pdf-javascript-stream | PDF /JS object 31 at offset 0x4147 | 55 bytes |
javascript_obj0032_021.js9c0ea4633e119e0b23c70940e386a4852e5570a1ea7d9d8e8bc1e0cb1e8b8833 |
pdf-javascript-stream | PDF /JS object 32 at offset 0x41B8 | 107 bytes |
javascript_obj0033_022.jse4a792cdd117a9b692060f93e92bf7b4098de584a080e8312ab0afb7606d8500 |
pdf-javascript-stream | PDF /JS object 33 at offset 0x425D | 87 bytes |
javascript_obj0034_023.js4cf44bb6d6b1423b9b8008cfdcc45569ca525be7bed2914120e32eba24876e43 |
pdf-javascript-stream | PDF /JS object 34 at offset 0x42EE | 95 bytes |
javascript_obj0035_024.js3efd3c0a81bd71878fc18bef7ebee5f490096a1456a27cbe4df9ed9b52ad0003 |
pdf-javascript-stream | PDF /JS object 35 at offset 0x4387 | 99 bytes |
javascript_obj0036_025.js81ffe06bf8a2a835f653a7d7a3a927864e2d1970760b93021f19af47fa5dcb20 |
pdf-javascript-stream | PDF /JS object 36 at offset 0x4424 | 103 bytes |
javascript_obj0037_026.jsdd2676085b78881cb2a0a876ab8abbd5b7dbe4a36d7b032b648b97ffd516015e |
pdf-javascript-stream | PDF /JS object 37 at offset 0x44C5 | 39 bytes |
javascript_obj0041_030.js84e2bf56016c0f5fae2cc1f945c921208d04d765d00ecae02a9e8e7e430eba88 |
pdf-javascript-stream | PDF /JS object 41 at offset 0x4621 | 79 bytes |
javascript_obj0042_031.js4ec0eae5f505ad69ecb57ef81d46d933812aa14edf66f25d103c3f04071f81d5 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x46AC | 84 bytes |
javascript_obj0042_033.jse081dc2e4334085171e71a1d349ee6cc721fbfd332dda963825c4992d4be5793 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x46AC | 74 bytes |
javascript_obj0042_034.js0ee1ad0349ce4fc3ece288dce12b8c575d59b349d5a8cea9c2734bd72eb8e694 |
pdf-javascript-stream | PDF /JS object 42 at offset 0x46AC | 93 bytes |
javascript_obj0046_036.jsb80207d1362a718699e75ca9422118ce78f2ddb1a591f88068156c54728641bf |
pdf-javascript-stream | PDF /JS object 46 at offset 0x47D3 | 111 bytes |
javascript_obj0048_037.jscdb00d413dd3dc5b9d3e3780f1775e73dbb44b071a24019bd9d4f5472f12fea2 |
pdf-javascript-stream | PDF /JS object 48 at offset 0x48AF | 42 bytes |
javascript_obj0048_038.js848a26859e6a995a9dba8ff9fe394bd37660a1b8cfc79ebf45f4459df07b2856 |
pdf-javascript-stream | PDF /JS object 48 at offset 0x48AF | 51 bytes |
javascript_obj0048_039.jsed92d497c658c0344ef12d8c6ee1ed1422bc2ea6b262e04ade3a8d103767fc81 |
pdf-javascript-stream | PDF /JS object 48 at offset 0x48AF | 76 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.