Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a2384d35ad85c3f…

MALICIOUS

PDF

7.4 KB Authoring application: Viraciregavi
MD5: e6d283117c8e8a6b950da138c73cca60 SHA-1: 704afbb1dd14dbad8916f7193e3992d3967c5b32 SHA-256: 0a2384d35ad85c3f7e64ad956cbdb65f2d0ce634ff3dcf312295b3956fd56928
468 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF file contains obfuscated JavaScript that exploits known vulnerabilities in Adobe Reader, specifically CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. The script is designed to download and execute a second-stage payload, as indicated by the critical heuristic firings related to exploit clusters and generic stage recovery. The document body text appears to be filler content, not directly related to the malicious functionality.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 11

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV: Pdf.Exploit.Agent-35649 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-35649
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0007_000.js
81725bc181c733a6281d7afcef1c9f60db5ea106292336a3438137fa563f8ffd		 pdf-javascript-stream PDF /JS object 7 at offset 0x45A 5730 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
c2f48d10684abfa1634127e323521be3d8a6e1b35dd9f209c581fe3122aa577b		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 7 at offset 0x45A 5463 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_001.js
8014553da6f3531d4103e9a201fa84ac04c0ab07643d56223e770b8009b850c4		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0xEA4 at offset 0xEA4 2882 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_002.js
d02572d6084b4d75ea740332de84bd64d1805f342fe6a7040d2c28d3f1518530		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0xEA4 at offset 0xEA4 2851 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_003.js
0302c6275fd8502ddf4290d96df95c94e2df237ab67d22960bf4d007cc2045c7		 deobfuscated-js generic stage recovery split-literal-normalize -> percent-decode from JavaScript object 7 at offset 0x45A 5459 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_004.js
db26076e78ad81ddcba9d3ae043cf6a721b703a93251a05a49a71d3e6162304c		 deobfuscated-js generic stage recovery percent-decode -> split-literal-normalize from JavaScript object 7 at offset 0x45A 5461 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
legacy_pdfkit_stage_000.js
1e0c8ca4c6180400afd62497a161d41969b04e1091a2d4ffa9764c7f00cf51a1		 deobfuscated-js string-concatenation normalized Acrobat API aliases at offset 0x45A 851 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.