Malicious PDF / .IRP — malware analysis report

Static analysis result for SHA-256 156c43b80739fbc1…

MALICIOUS

PDF / .IRP

81.4 KB
MD5: 3d1d6d5a5e34c37524ae2c8911f24e8d SHA-1: 2add249aa852c5a4c3b2da87627f1f48ae7fd599 SHA-256: 156c43b80739fbc1c937360fc0f23219af894bd67730103a31e2b60a9ca63ac5
432 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that triggers multiple known Adobe Reader vulnerabilities, specifically CVE-2007-5659 and CVE-2009-4324. This JavaScript is designed to execute a secondary stage, likely a payload downloader, as indicated by the 'generic stage recovery' heuristics and the presence of obfuscated JavaScript streams. The exploitation of these CVEs is the primary malicious function observed.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9807

Heuristics 12

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 9

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off00002a3f.js
8edab7f5d6d3bc708c0e9328083b0354959e8f9d631fb43c0c99d34c90d4eac9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2A3F 6731 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
generic_stage_recovery_000.js
316f35b1a22e108bed4ccfb5a8333187723c66f41396d3e6a3f817f3445082c4		 deobfuscated-js generic stage recovery split-literal-normalize from decompressed stream at 0x2A3F at offset 0x2A3F 6617 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 7 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
generic_stage_recovery_001.js
108d470302234877ecb430e64e1a1c67bbb3aa601b90d206787cc43236da10aa		 deobfuscated-js generic stage recovery marker-XX-to-%u from decompressed stream at 0x2A3F at offset 0x2A3F 6095 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
generic_stage_recovery_002.js
ca66284ab426a92ae1b146fc455bbab004c68070d67864af0b6f7d342d7bb7c8		 deobfuscated-js generic stage recovery marker-XX-to-%u from decompressed stream at 0x2A3F at offset 0x2A3F 2421 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
generic_stage_recovery_003.js
e4af8ad051735bcbddf7852e4103407928ff822bc1d1df93efaabbcfd4bc1d8b		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-XX-to-%u from decompressed stream at 0x2A3F at offset 0x2A3F 5981 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
generic_stage_recovery_004.js
478fbc01c1adc9086a3981240b76d605ac0028892a29473d8992c196e9ee1961		 deobfuscated-js generic stage recovery split-literal-normalize -> marker-XX-to-%u from decompressed stream at 0x2A3F at offset 0x2A3F 2307 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
objstm_0029_00.bin
dc0fc170b1d5882fa1a67739f64e17705521fdd85dd8316c748159eb3ee59b0c		 pdf-objstm-decoded PDF /ObjStm 29 0 obj (inflated) 457 bytes
objstm_0047_00.bin
fb30dcc1b952dafe4c4dfef9cc7c3163f6cc551f3579bbfec1223b6e550c625b		 pdf-objstm-decoded PDF /ObjStm 47 0 obj (inflated) 32 bytes
polyglot_child_pdf_off0000ff4e.pdf
a1fd528f7b9854f0227000971505d5095c541eaf2d461706f6ec5ecb1d327c69		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xFF4E 18042 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.