Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b9e05a46a7b0978…

MALICIOUS

PDF

1.17 MB Created: 2009-12-17 03:14:38 +08:00 Authoring application: PScript5.dll Version 5.2 (via Acrobat Distiller 7.0.5 (Windows))
MD5: 16eb5107dfe3334ab35f55ba6a73f8ee SHA-1: fcf7eaf6ba5c7b263331a86adda1f78d03b9448d SHA-256: 0b9e05a46a7b09789c2a2255f84545cf9f315aa27a018c732c7adb1a8197f3f8
118 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript and is flagged as malicious by an ML classifier. A critical heuristic indicates exploitation of CVE-2009-4324 (media.newPlayer), a vulnerability known to be leveraged for arbitrary code execution. The embedded JavaScript is heavily obfuscated but its presence, combined with the CVE exploit, strongly suggests the document's purpose is to download and execute a secondary payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
k1
d126f2ad4fc1902116e64aff7689cafa64a8efc447f950c255d916aa5935137f		 pdf-embedded-file PDF EmbeddedFile object 26 at offset 0x1EC1 2041 bytes
javascript_obj0031_000.js
dabfb0c707e62dd99da800274062ebe57badf1410b69cd78441e2042686328d1		 pdf-javascript-stream PDF /JS object 31 at offset 0x12B202 4607 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.