Malicious PDF — malware analysis report

Static analysis result for SHA-256 15b23a9a0698ffc8…

MALICIOUS

PDF

98.0 KB Created: 2009-07-08 10:53:46 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: 2dcb70a69fb8b8dccf4b69b03c5598f8 SHA-1: b00351521cd18418a576127a75bd92f2b0a4ef14 SHA-256: 15b23a9a0698ffc8b656e2c3b6b221690a4bb9aaacf9b4b3f728533c069d2d59
148 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains embedded JavaScript that exploits CVE-2009-4324, a known vulnerability in Adobe Reader related to the media.newPlayer object. The deobfuscated JavaScript appears to be a downloader or exploit stage, indicated by the high ML classifier score and the generic stage recovery heuristic. The script's primary function is to execute malicious code, likely to download and run a further payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • Generic recovered JavaScript exploit stage high PDF_GENERIC_STAGE_RECOVERY
    Bounded static stage recovery exposed hidden JavaScript through generic transforms such as null-byte collapse, percent decoding, marker replacement, arithmetic character codes, fromCharCode, numeric arrays, numeric-array minus-key decoders, alphabet-index arrays, /Producer half-difference metadata arrays, hex literals, marker-stripped Base64 literals, custom 6-bit XOR table decoders, or repeated-marker hex carriers. This rule is emitted only when the recovered stage contains exploit-like Acrobat JavaScript or shellcode markers.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
fec02ac84241a606ddee84042d46f183d5a3e8bc4f3fce27d6a568b328437545		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DD 2944 bytes
generic_stage_recovery_000.js
798319c5fb36218270198f3d097dd6c298b2d09d5d838caf46439648ebc871f7		 deobfuscated-js generic stage recovery split-literal-normalize from JavaScript object 17 at offset 0x4DD 2780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.