Malicious PDF — malware analysis report

Static analysis result for SHA-256 16d040ce608ab474…

MALICIOUS

PDF

17.8 KB
MD5: edfa8fa682f945a1838330df8ad61010 SHA-1: 5aed6e235a588bc1437d36c25b80041725032000 SHA-256: 16d040ce608ab474f707257a50bcf6e24855907c1992ca87aef029cfe8b24582
310 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF file contains obfuscated JavaScript that exploits CVE-2009-4324, specifically targeting the media.newPlayer function. This script is designed to download and execute a second-stage payload from the URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_newplayer. The presence of eval() and unescape() calls, along with the embedded URL and ClamAV detection on extracted artifacts, strongly indicates malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution
  • PDF JavaScript shellcode contains an embedded download URL high PDF_JS_SHELLCODE_DOWNLOAD_URL
    Decoded PDF JavaScript shellcode contains a hardcoded http(s) URL stored as little-endian %uXXXX Unicode escapes. Reader exploit shellcode embeds the second-stage fetch URL this way and pulls it down with a urlmon/URLDownloadToFile-style download-and-execute (commodity downloader behaviour rather than a specific Acrobat CVE).
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gospeltube.com/cache/.svn/.p/.l.php?l=1&spl=pdf_newplayer

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj111711_000.js
1ff1582e2c756832193f8b207ece7b922d9aaba3f3de95638b9d1362752225a7		 pdf-javascript-stream PDF /JS object 111711 at offset 0x18E 2935 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
javascript_obj111712_001.js
d2d8d76698b0eb57a60b18522ac3f2a5fb5ddbdf5d776b5cf9a6f5da4da7bdb0		 pdf-javascript-stream PDF /JS object 111712 at offset 0xD3B 12117 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
javascript_obj111713_002.js
df03224f897a6754c3a06e9c6e7d38ce7caa2e143a95228c764892f0e538fba5		 pdf-javascript-stream PDF /JS object 111713 at offset 0x3CC6 2553 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
javascript_obj111711_003.js
8f30012bcb6a91f51f88740f259f5a9d1d068f192dacb911be219de1a915ec88		 pdf-javascript-stream PDF /JS object 111711 at offset 0x1B2 17761 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 14 long base64-like blob(s).
javascript_obj111712_004.js
809a7953cea88a0858ed12905b6b62e4b04f5a0757043cd96cad87f15fe886b6		 pdf-javascript-stream PDF /JS object 111712 at offset 0xD5F 14772 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 8 long base64-like blob(s).
javascript_obj111713_005.js
837f56f06e3cda9a72e993e92afe6aa14ee9d8c7de2e3b74423fb195ee4737cc		 pdf-javascript-stream PDF /JS object 111713 at offset 0x3CE9 2602 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
legacy_pdfkit_stage_000.js
ae6f0bdfb6965b296a39453619b94d42a2d6add4bffe3f277c78c0ea4cbcf88d		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0xD3B 1079 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_001.js
5091795dc7dfd1e269d30a5ab394f1536cab6157b0cb74b7e26a9fdc9129a46f		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x3CC6 165 bytes
legacy_pdfkit_stage_002.js
ae0a38f0f2b4f34b63562c96649f54e2a890edcc7fa4ece5b5548d56f551d39b		 deobfuscated-js multi-marker percent-array decoded JavaScript at offset 0x1B2 1245 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
legacy_pdfkit_stage_003.js
4b0758537c1ebcb2862e0e8de92dec980b89a8226a75002dc38cf9b2eeef43ea		 deobfuscated-js multi-marker percent-array combined decoded JavaScript at offset 0xD3B 6395 bytes
Detection
ClamAV: Js.Exploit.Shellcode-18
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.