Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f42da7a7f39143f…

MALICIOUS

PDF

183.4 KB Created: 2009-12-21 16:55:35 +08:00 Authoring application: Acrobat PDFMaker 7.0ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿcer(Acrobat Distiller 7.0 (Windows) (via Acrobat Distiller 7.0 (Windows))
MD5: c2fc72ade93076ae14af4de1e45e127b SHA-1: f05fb0a72b4e2c2dd2f056cec90f2c6d64397992 SHA-256: 0f42da7a7f39143f31fc76df744f12d673bbaba1fc3fb365f823b2621382b570
252 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF sample contains embedded JavaScript that is heavily obfuscated and utilizes the unescape() function, indicative of exploit code. Critical heuristics indicate exploitation of CVE-2009-4324 via the media.newPlayer object. The JavaScript is designed to download and execute a secondary payload, a common technique for initial stage malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/pdfx/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/photoshop/1.0/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0043_000.js
6a4feff50242ca48bccb7b8303874c63d44c492cea43499d20ce94d354dc031d		 pdf-javascript-stream PDF /JS object 43 at offset 0x2430 2172 bytes
javascript_obj0043_001.js
72a7a81874bc825243697fb1380a9dc969da68bf826f90ff5241fdd360dd07a9		 pdf-javascript-stream PDF /JS object 43 at offset 0x2465 6463 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
generic_stage_recovery_000.js
16ae11897d85015a75a4476aa5d780ff0fb25880746f1a6e954a1c4f5329200c		 deobfuscated-js generic stage recovery marker-XX-to-%u from combined JavaScript objects at offset 0x2430 5838 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s).
combined_document_js_000.js
6b274891890bf0d519e3384adb17e8bb7394a4452b3b364e01a340896daea0d1		 deobfuscated-js combined document JavaScript streams at offset 0x2430 8636 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 20 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.