PDF malware analysis — malicious · 1bcb5b4002c7a2ad

MALICIOUS

PDF

25.0 KB

MD5: 353ab779bc7c21733dddacd93314a4f1 SHA-1: e5be49395a1c8ab091e3f80c4d0e8d54747154b8 SHA-256: 1bcb5b4002c7a2ad17f535364962ea4b0c3668259ab4a1f4cc395e1d8f5f4cf4

118 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link T1027 Obfuscated Files or Information

This PDF file contains embedded JavaScript that utilizes eval() and unescape() functions, indicating an attempt to obfuscate malicious code. The critical CVE-2008-2992 heuristic firing confirms the exploitation of a known Adobe Reader vulnerability via util.printf() to execute this JavaScript. The script's primary function appears to be decoding and executing a further stage of malicious code, likely a downloader or dropper, from within the PDF.

Heuristics 5

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `a9f247bacdcf940b68272da34b4da2a1827ad29566753da21496114332dc6ed3`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3283 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111712_001.js` `006660fbd0e77393623f35586efe12993b84e0fa639af4fa3f0e12eff11d227f`	pdf-javascript-stream	PDF /JS object 111712 at offset 0xE97	16993 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 4 long base64-like blob(s).
`javascript_obj111713_002.js` `907cea2b57d7faea43b821d186b911094fa8b45a70dc1594c633c752d9f5c4ce`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x512E	4717 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 6 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `8c8084df996140f9111e42d8bdfddf2a1c8e32e4c6d00b528ed6a0828a19e3f6`	deobfuscated-js	double percent-decoded annotation JavaScript at offset 0xE97	16261 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 43 long base64-like blob(s).
`legacy_pdfkit_stage_001.js` `dcbb57d099826c1ef63303f30b2acf32060df2ff960ee5471799c36c19e7e349`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0xE97	1422 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_002.js` `842eeb0313eb065d0743524d314bad29f497e05b701d503f186de5481e6a16c8`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x512E	389 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 long base64-like blob(s).
`legacy_pdfkit_stage_003.js` `3123a0076a019b2a0883e0737d4a85d226eebb58fd4743c571578f64e19b1448`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0xE97	1812 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).

Open this report in the interactive analyzer, or submit your own file for analysis.