PDF malware analysis — malicious · 0ca80e314d8befdd

MALICIOUS

PDF

6.1 KB

MD5: 1320f744cd67b09c906eee8448514660 SHA-1: 66a292643556acf8cb03b83f2396c77276255cc9 SHA-256: 0ca80e314d8befdd27f4f4f8940c511c8c1dac9e8e85dc328c6ca208274f1f5c

166 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript T1566.001 Spearphishing Attachment

The PDF file contains embedded JavaScript that is obfuscated and likely malicious, as indicated by critical heuristic firings for CVE-2008-2992 and ML classification. The JavaScript's purpose is to exploit this vulnerability, leading to the execution of further malicious code, likely a downloader. The presence of obfuscated JavaScript and the specific CVE exploit strongly suggest a malicious intent to compromise the user's system.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0006_000.js` `a7956c4d9e073df5aa89e7567a01e68fd915f8c41de47cb5854480682be94ce9`	pdf-javascript-stream	PDF /JS object 6 at offset 0x1A9	5087 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.