Malicious PDF — malware analysis report

Static analysis result for SHA-256 135f934486811083…

MALICIOUS

PDF

1.95 MB Created: 2009-11-11 10:52:49 +03:00 Authoring application: PScript5.dll Version 5.2 (via Toldihiqanopo)
MD5: 114ce3c4b70b8ca22470579e8e31bcda SHA-1: a40bab9e9fbc83b768a87a3b591d1c14d8c6ebe3 SHA-256: 135f934486811083fdda83bcf985b3b748023aab4415b4110d45fa7e5d36cd92
538 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Link T1059.001 Command and Scripting Interpreter: JavaScript

This PDF file is heavily laden with exploits targeting multiple Adobe Reader vulnerabilities, including CVE-2009-0658, CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. These exploits are designed to deobfuscate and execute embedded JavaScript. The presence of JBIG2 and JPXDecode filters, along with active content, further indicates malicious intent. The primary function appears to be the execution of a second-stage payload via the exploited JavaScript.

Heuristics 14

  • Adobe Reader JBIG2Decode page-word shellcode exploit critical CVE likely CVE_2009_0658
    PDF combines JBIG2Decode image streams with an OpenAction JavaScript launcher that decodes a page-word XOR shellcode stage. This matches the in-the-wild Adobe Reader/Acrobat JBIG2 image-stream exploit cluster associated with CVE-2009-0658.
  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • JPXDecode + active content — JPEG2000 CVE-family indicator high CVE related PDF_JPX_CVE_2018_4990_RELATED
    PDF uses /JPXDecode (JPEG2000) alongside JavaScript, XFA, or RichMedia indicators. This matches the delivery pattern for Adobe Reader JPEG2000 parser exploit families, including CVE-2018-4990, but does not prove the exact malformed JP2/JPX primitive.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • ClamAV: Pdf.Exploit.Agent-36176 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Exploit.Agent-36176
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 15

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0001086b.bin
c7ed63a15b49e526a15d714e00e246bb82ae6889c5ebaaac77abd4880558ccfd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1086B 50896 bytes
page_word_xor_stage_000.js
f79cb6396492fc3f84d20f988f26cb4025557f9420c0051b290e67aa8c54f506		 deobfuscated-js page-word XOR decoded JavaScript (decompressed, key=0x05) at offset 0x7C725 3215 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
jbig2_00_off00109077.bin
84a26abf56ddd28d9b89bd9c5d61a417dd5e2c74bdc01c939b7256f6175a56ce		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x109077 6299 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.96, consistent with packed or encrypted content.
jbig2_01_off0013b537.bin
99436982f4f196d5e04ed675d1f9db571c1df8ed22839d1c2e6e123901569a74		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x13B537 6086 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
jbig2_02_off0016d1d4.bin
b1155d285af01c1cbf7b1be7ad995a029be126a4a47807285e43204f586b737e		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x16D1D4 5891 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.95, consistent with packed or encrypted content.
icc_00_off0001c224.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x1C224 3144 bytes
font_00_sfnt_off00002991.bin
7ff6a25067a0b06f563181fa8ce0138c07d033eb1ca846b9e2784d007594c9a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2991 65732 bytes
font_01_sfnt_off00018316.bin
9dd2069ec9ac2c7866e57f5053471a2a18fe74a5d7a5d96c70ff67bdda74ec4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18316 31528 bytes
font_02_cff_off0007fccf.bin
4aea9f4e26ea64e6f14e94753a773d83929f9803d3bda814295f29e58074f792		 pdf-font-stream PDF embedded font (cff) at offset 0x7FCCF 4174 bytes
font_03_cff_off00080b7d.bin
da402ed985cf62a352f17c33be03e3314c53392a70c3dab8d4e1f5b4a78fe6e3		 pdf-font-stream PDF embedded font (cff) at offset 0x80B7D 12991 bytes
font_04_cff_off00083217.bin
2ebc2e995d8b2e7731f15f41d6bcad4a887862a3c3c51e58ee1574eb89be16bf		 pdf-font-stream PDF embedded font (cff) at offset 0x83217 5499 bytes
font_05_cff_off000a3f80.bin
f174867ac133914f79be0914e96e30af9d8b8966e9f25b0c749b82b3165a8fc0		 pdf-font-stream PDF embedded font (cff) at offset 0xA3F80 6634 bytes
font_06_cff_off000a573d.bin
4edee329a197c47b1151c013d65db5ed9297584935517cdd9339bf672ec1eaad		 pdf-font-stream PDF embedded font (cff) at offset 0xA573D 3561 bytes
javascript_obj0020_000.js
681fb8346e2ca0f375d9beeba24e43a3b31939102901566b68fd3c4bfab16eb4		 pdf-javascript-stream PDF /JS object 20 at offset 0x29CB 284103 bytes
polyglot_child_pdf_off0007bd3f.pdf
b0dc90fe84a48b3302afb4f5d81eca0b30ec65c2b7d93b583d6bfa90a43ae2f2		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x7BD3F 1540801 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.