Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b9ab6760d4b3a9b…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: ea357fc11abc498d49d7ecd389d2235e SHA-1: 9385c3184ccebaac58b2fdcc0ded149b55be0421 SHA-256: 0b9ab6760d4b3a9b44263dd40fb52b94b1f38f3640efc7c3d77c4cceccd0b2eb
158 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2009-4324, specifically targeting the media.newPlayer functionality. The deobfuscated JavaScript appears to be designed to download and execute a secondary payload, indicated by the generic stage recovery heuristic. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 7

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1
d126f2ad4fc1902116e64aff7689cafa64a8efc447f950c255d916aa5935137f		 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
javascript_obj0031_000.js
de630c79c07d0b9723561a8fa36f3d3ba9ff16b0b2e931247a4db482bed28c38		 pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 4707 bytes
generic_stage_recovery_000.js
43378712ead4577fb8387951f4d8c2baaec247f3905e9f9712ed1c86d6af0844		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 31 at offset 0x12B202 4493 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.