PDF malware analysis — malicious · 12e9acae98ada316

MALICIOUS

PDF

983.0 KB Created: 2010-01-06 11:43:37 +08:00

MD5: b6e083caba12182a3b85ad09206b84af SHA-1: 3001348535ba8a13d5431b355eb6c37ac1ba11a5 SHA-256: 12e9acae98ada316d4c269c6c43785b5575a26556cd1f660a4afe0f5cd2cec43

120 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that leverages the CVE-2009-4324 vulnerability by calling `this.media.newPlayer(null)`. This exploit is designed to achieve arbitrary code execution within the context of the PDF viewer. The JavaScript is obfuscated but the core exploit mechanism is identifiable. No specific malware family is discernible from the provided evidence.

Machine Learning

Nyx PDF Classifier malicious score 0.9977

Heuristics 7

media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324

PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded file low PDF_EMBEDDED

PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE

PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 5

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0043_000.js` `1a5d85c21cce1724fe86b59506f1a02a0438aae5349a6a29a6c984780390a34f`	pdf-javascript-stream	PDF /JS object 43 at offset 0xF5413	249 bytes
`javascript_obj0045_001.js` `c3498727efb51d96cec09f2b966f26c99900a481ace896b31671835f19da3085`	pdf-javascript-stream	PDF /JS object 45 at offset 0xF55E2	119 bytes
`javascript_obj0050_003.js` `667817e8c69082751b295c22ee07fbb34b4c8fdb1dc985dd2fba872628241f39`	pdf-javascript-stream	PDF /JS object 50 at offset 0xF572E	779 bytes
`combined_document_js_000.js` `7968397c5fdf32f4aef93fc793fe509ab4643898014f7be450fb8e96ffed88e7`	deobfuscated-js	combined document JavaScript streams at offset 0xF5413	1151 bytes
`objstm_0051_00.bin` `1d28b5aa5fb3cfa4e814510749982f5657dff41d85325033f6756f903afd0417`	pdf-objstm-decoded	PDF /ObjStm 51 0 obj (inflated)	48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.