Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c63992927a70623…

MALICIOUS

PDF

186.4 KB
MD5: 8a89524e5cb227d68a3187d6a4d16a26 SHA-1: ce1fa70fa665bb8e525e94ae8267323ae790565c SHA-256: 0c63992927a70623b249920dbda3aa21adf90004ad5ef15a3e8486a7c084eb44
296 Risk Score

Malware Insights

MITRE ATT&CK
T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains obfuscated JavaScript that leverages the CVE-2009-4324 vulnerability via the media.newPlayer method. The script attempts to collect information by constructing a string that evaluates to 'Collab.collectEmailInfo' and then calls this function with a constructed message payload. This indicates an attempt to exfiltrate data or prepare for further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0008_000.js
7a97ac86ccb25ded0688173ad61f89612239618e9cf53c5bbb1ef7f97d96cb3e		 pdf-javascript-stream PDF /JS object 8 at offset 0x58F 1296 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
generic_stage_recovery_000.js
af68f1151b75ef7252f74b2ac3cbc2b616a205451ab7496d6ece74b22301940d		 deobfuscated-js generic stage recovery percent-decode from JavaScript object 8 at offset 0x58F 1282 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
generic_stage_recovery_001.js
db01810ae0fa9eb6f92377e61458fe3fe13f5fc4c86309f8f5a4a3e219ed739f		 deobfuscated-js generic stage recovery percent-decode from combined JavaScript objects at offset 0x58F 1307 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
4f8cc02821ef6d0d1685d94407c10ec196658a83752f68773ee2d7c8639aa4dc		 deobfuscated-js generic stage recovery null-collapse from decompressed stream at 0x0 at offset 0x0 84797 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
39662075acdaab98ef2aca85ae4409b5e6082a0d0d62eedddded11d256195731		 deobfuscated-js generic stage recovery percent-decode from decompressed stream at 0x0 at offset 0x0 190813 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
ea351ba18847c6d9542aa6b450f35bb68e6ce44b20a7d6a680811221741b3bf5		 deobfuscated-js generic stage recovery null-collapse -> percent-decode from decompressed stream at 0x0 at offset 0x0 84779 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
combined_document_js_000.js
e003c0bcee70b603f50f2c26c3aa833edc81998a773f475f97098f55a6da5398		 deobfuscated-js combined document JavaScript streams at offset 0x58F 1321 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.