MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
The PDF file is identified as malicious due to critical heuristic firings indicating exploitation of CVE-2009-4324 (media.newPlayer) and CVE-2007-5659 (Collab.collectEmailInfo). The embedded JavaScript attempts to exploit these vulnerabilities, likely to achieve code execution. The script also contains obfuscated strings and attempts to collect email information, suggesting a reconnaissance or initial compromise phase.
Machine Learning
- Nyx PDF Classifier suspicious score 0.3725
Heuristics 8
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
-
Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JSPDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Optional Content Group with action trigger low PDF_OPTIONAL_CONTENTOptional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://www.verisign.com/repository/CPS��
- https://www.verisign.com
- https://www.verisign.com/repository/verisignlogo.gif0��
- https://www.verisign.com/CPS0b
- http://www.microsoft.com/typography
- http://www.microsoft.com/truetype/0
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0034_000.js7548c9ea77bfaba7db36f85a06b34be167a172b573b88fd17676955e025d94f4 |
pdf-javascript-stream | PDF /JS object 34 at offset 0x1520 | 1735 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 7 eval/decoder/string-building token(s).
|
|||
stream_002_off00017df0.bin147cd2f6b82a514f79d8396c14d4abb01cdd737885aa0c33d7a13c175a07ca02 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0x17DF0 | 11340 bytes |
font_00_sfnt_off0001604f.bin4ae3a6446db9edaf646f0b74f48a96fc2a2dcf6477296198ecdff32ba673918c |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x1604F | 11624 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.