MALICIOUS
468
Risk Score
Malware Insights
MITRE ATT&CK
T1203 Exploitation for Client Execution
T1059.007 JavaScript
T1566.001 Spearphishing Attachment
The PDF file contains embedded JavaScript that leverages multiple known Adobe Reader vulnerabilities (CVE-2009-0927, CVE-2007-5659, CVE-2008-2992) to achieve code execution. The deobfuscated JavaScript streams indicate a generic exploit stage designed to download and execute a secondary payload, characteristic of a downloader or initial access exploit.
Machine Learning
- Nyx PDF Classifier malicious score 1.0000
Heuristics 11
-
Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
-
PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTERPDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
-
ClamAV: Pdf.Exploit.Agent-35649 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Exploit.Agent-35649
-
eval() call high PDF_EVALeval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERYBounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 6
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0007_000.js2df3adc839442e92b635469580253ee02e7e9a40c7baec65a614b21c29026963 |
pdf-javascript-stream | PDF /JS object 7 at offset 0x455 | 6324 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s).
|
|||
generic_stage_recovery_000.js5a04f1a353e24e052aea95483678c4b6b96751d0b4192526b257060e5e3148c3 |
deobfuscated-js | generic stage recovery split-literal-normalize from JavaScript object 7 at offset 0x455 | 6057 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
generic_stage_recovery_001.jsbcf815815117f4db145d9c65d1fa6a0f2b045bd5071cd423191c303fac645190 |
deobfuscated-js | generic stage recovery split-literal-normalize from decompressed stream at 0x118F at offset 0x118F | 2716 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
generic_stage_recovery_002.js7f213130b207b730f560527ca0ebe8a1a31e27a1892594ce1aa7c56e9a1a9fd5 |
deobfuscated-js | generic stage recovery split-literal-normalize from decompressed stream at 0x118F at offset 0x118F | 2687 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
generic_stage_recovery_003.js3a3d76d9d93a03391674ba3f0c00c3d5293d69ecb0fac8e8ac074243ddcf56b0 |
deobfuscated-js | generic stage recovery split-literal-normalize -> percent-decode from JavaScript object 7 at offset 0x455 | 6053 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 11 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
legacy_pdfkit_stage_000.js48f7a9c25b866023f2abe8fcb0dadbb108fd166c84b44ca37df3e044dea655e4 |
deobfuscated-js | string-concatenation normalized Acrobat API aliases at offset 0x455 | 560 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 long base64-like blob(s).
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.