Malicious PDF — malware analysis report

Static analysis result for SHA-256 17cf4a9730d51a96…

MALICIOUS

PDF

1.64 MB Created: 2007-12-06 19:43:29 -07:00 Authoring application: Adobe Illustrator 11.0 (via 5.0.5.1810 Release)
MD5: 242332b1ace9aa5a75399a5fbe3ad3ec SHA-1: 6103561ce8ef4fdc9809a41fb217df34cf021d77 SHA-256: 17cf4a9730d51a96f15752a12f669c9bf69d1e717551581425345504fcf2bd3e
268 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains embedded JavaScript that utilizes eval(), unescape(), and String.fromCharCode() functions, indicating obfuscated code execution. The presence of U3D/3D content and associated heuristics strongly suggests exploitation of a vulnerability within Adobe Reader's 3D parsing capabilities. This script likely serves to download and execute a secondary payload, a common technique for initial compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.6579

Heuristics 12

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PDF JavaScript exploit cluster critical PDF_JS_EXPLOIT_CLUSTER
    PDF combines an executable JavaScript/action surface with exploit staging indicators such as eval/unescape/fromCharCode, XFA script content, or a related CVE pattern. Benign form JavaScript remains low-severity, but this correlated cluster is high-confidence malicious behavior.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • Embedded script payload in PDF stream medium PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain an HTML/XFA <script> tag without accompanying Windows shell-execution primitives — common in accessible XFA forms but worth surfacing for analyst review.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • String.fromCharCode low PDF_FROMCHARCODE
    String.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
  • Optional Content Group with action trigger low PDF_OPTIONAL_CONTENT
    Optional Content Group (layer) co-occurs with an action trigger — content can be selectively hidden from viewers or scanners while the action still fires on open
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.righthemisphere.com
    • http://crl.adobe.com/prodSvce.crl0
    • https://www.adobe.com/misc/pki/prod_svce_cps.htm
    • http://crl.adobe.com/cds.crl0���~�|�z0x1
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/g/img/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceRef#
    • http://ns.adobe.com/xap/1.0/t/pg/
    • http://ns.adobe.com/xap/1.0/sType/Dimensions#
    • http://ns.adobe.com/xap/1.0/g/
    • http://ns.adobe.com/pdf/1.3/
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&spec=BAC5004-2
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&spec=BAC5009
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&spec=BAC5430
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&spec=BAC5000
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&amp;spec=BAC5004-2
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&amp;spec=BAC5009
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&amp;spec=BAC5000
    • http://standards.web.boeing.com/hlgw.cgi?app=BAC&amp;spec=BAC5430
    • http://www.adobe.com

Extracted artifacts 28

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0281_000.js
3a3ac8d33e1dac85ad5869dc33cd1692937aeebfe2a8f81324ad1fe497900f04		 pdf-javascript-stream PDF /JS object 281 at offset 0x176E83 327079 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_039_off0000cf77.js
330f5c19c7ca995795516645be5b590157c01812f41bd6830cdc609bb5b9d4f9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xCF77 22124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_040_off0000e046.js
8d96509eb240e1c77f143d6463dfd82b8d984cd0c96616652143d4177d854213		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE046 17828 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_041_off0000f111.js
09b34bae589e05293fdbe5ba726c9feea1d39254aa3a2572c62566f79c07fcec		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF111 10565 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 10 eval/decoder/string-building token(s).
stream_043_off000109d8.js
3d4e97e99641ae4ea2def614d0172b5c2768ee7157063dd8fc966a6ecafa57df		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x109D8 7287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_044_off00011180.js
57b1a76ccfe5da62ca94b81597d47c7d1f044cd6448a85298d1c63c79ec89f2f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x11180 2763 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_045_off000115a1.js
6ae8528b471667fbe3b6ff0dc9c0b3d6e0d1a11041d403170e52ec2cdbbf5f7d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x115A1 10770 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 11 eval/decoder/string-building token(s).
stream_047_off00012923.js
dd906f819ca1ff47b8f14405c84e0056f642d48a85e1bc7d1605e254e2e2be57		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x12923 7435 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_048_off000130fd.js
63538b4c16f432496fc4fdc2fac0fffdbf233b5c556faf6fe8fcde67c6479861		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x130FD 2820 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_049_off0001352c.js
9c4ac2e0fb7a766c6cf8dd05e0f1fd828450f0b4095363594c7573d4c9a01727		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1352C 10842 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s).
stream_051_off000147e3.js
ec68211d0cfac86f7e0185e9e193f0bea47cf65bd09a9214a9313d82b14b37bf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x147E3 7438 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_052_off00014f6f.js
eb05a87b69e3055d04239094d8eecce5ace02a9d75da368c364250ba224135be		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x14F6F 2889 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 6 eval/decoder/string-building token(s).
stream_053_off000153ae.js
120ab9f2a702158271a1b5811a89b1031931970116a0440d0c6bf640c70094d3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x153AE 10605 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_055_off000167db.js
0784490c57fc7f6f85f08f4424c8c1877d0daf202eb35949cfeeae7849fa9ddf		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x167DB 7256 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_056_off00016f88.js
08d73fd0f586f9dba68fc156e933c642dabe9023c384ce02cfe3884e2a135129		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16F88 2834 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_057_off000173b1.js
6238f0e69eeb260eb02db1a5b26ef76754b82a32cbfdcc63f3bf0b1f50efcec7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x173B1 10287 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 8 eval/decoder/string-building token(s).
stream_059_off00018624.js
2d6d97ac81740854ff7a92d6b2f5875ac90445f0b5f6fbd15205a0b6ac9f973c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18624 7047 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_060_off00018d93.js
eecbaa76ec91fbf670099cabce9d685b294ef9a8bfc6b0250e1c77c3cc7aa073		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x18D93 2725 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_061_off000191b0.js
f652b25a4741ac9a979d17534fcdbdfcfeb64f8503e6cdb80e1adf1296a61327		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x191B0 10562 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_063_off0001a5b5.js
acc8d9aede62e2375087e919f39ab8a3e1adbbda623132ba3a0e5ec21745ab31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1A5B5 7438 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_064_off0001ad5b.js
f337cd4e88ab44e1f614456683420ad45d99bc869c9165f4df6197280f2eaa5a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1AD5B 2609 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_065_off0001b16c.js
3296e6bc1219cf0c0c6170a68f5f2e7c6770866d25fac8173684d6d2fa6053f5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1B16C 10526 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 9 eval/decoder/string-building token(s).
stream_067_off0001c477.js
534450c580d1500b098b85412c96a0342dbf6fc1c95864f4dfb656761bd3f0fc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1C477 7180 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_068_off0001cbf0.js
39bf84a91483573dd2e8037285bbd165a940db5e04fa13514562ee50d4553691		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CBF0 2831 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
stream_070_off0001d53e.bin
f7f4fd7b93e5280f545ff5cacc9e3191078616d28cb4ba81c2f5a63fa5340ed9		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1D53E 1818284 bytes
stream_071_off0015a3d5.js
bb0b778a32624ddf845e68854d2ac3ea6960799e7274572a384ea6776266868c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15A3D5 151124 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s).
objstm_0301_00.bin
f21a0034d0710b2827ef23547c9b5de09f0b512c8b06c539f5a1e5f2cf3095d0		 pdf-objstm-decoded PDF /ObjStm 301 0 obj (inflated) 449 bytes
objstm_0302_00.bin
97d4961b2fdf2d0a951bd2ddf9f6c8ac547047c04dba976a09a1d0cd114bff53		 pdf-objstm-decoded PDF /ObjStm 302 0 obj (inflated) 9786 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.