MALICIOUS
86
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1204.001 Malicious Link
The critical heuristic firing for CVE-2007-5659 indicates the PDF exploits a known vulnerability using embedded JavaScript. The extracted JavaScript streams, particularly 'legacy_pdfkit_stage_000.js' and 'legacy_pdfkit_stage_001.js', suggest the script is designed to download and execute a second-stage payload. The use of 'String.fromCharCode' and obfuscated JavaScript further supports this. The document body was not sufficiently readable to determine a specific lure.
Heuristics 5
-
Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Extracted artifacts 9
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0005_000.jsf048286b2dfe205330e162117bc9e2e9406092389e25aa91660890d79cb205b6 |
pdf-javascript-stream | PDF /JS object 5 at offset 0x110 | 916 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 1 eval/decoder/string-building token(s).
|
|||
stream_009_off0000f58d.bin4ed68ae454e8bd4815011aa83749c9ac895e19d492642c3a660560b56f217cf3 |
decompressed-pdf-stream | PDF FlateDecoded stream at offset 0xF58D | 6570 bytes |
legacy_pdfkit_stage_000.js7a590a04ea87350e84c3856974289b971d37449302c9c2940b4de6ef81f0d52b |
deobfuscated-js | z-percent hex-pair decoded JavaScript at offset 0x65F7 | 4919 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s).
|
|||
legacy_pdfkit_stage_001.js79371305d462f00f2a141b476e1cf8fba05bdb49c15d53c9a49ff740e927b262 |
deobfuscated-js | repeated-marker hex decoded JavaScript at offset 0x65F7 | 11601 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
|
|||
font_00_cff_off0000e37c.bin85bdf667194bcc4cacabbad33dea4a6f924067c81bc4a463d6b90f88c72528b4 |
pdf-font-stream | PDF embedded font (cff) at offset 0xE37C | 5341 bytes |
font_02_cff_off00011bc5.bin83bfeb19b0c4845db32df4914d0b83fe1d3d21784ac5d9c0c916787b851525a4 |
pdf-font-stream | PDF embedded font (cff) at offset 0x11BC5 | 329 bytes |
font_03_cff_off00011d3e.bin20308b2cca49ca179f467f29338da0f479585f14815552fe9db3039ad7d4073c |
pdf-font-stream | PDF embedded font (cff) at offset 0x11D3E | 3751 bytes |
font_04_cff_off00012a0b.binec977c241b825056648add2158f96580faddbc4d82f6db4f8faffc3a8702459b |
pdf-font-stream | PDF embedded font (cff) at offset 0x12A0B | 572 bytes |
font_05_sfnt_off00012c0c.bin0af9dc2b6aa385b71ff540fdc244c5f726b15704f60415611b21f85c4fd688ee |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x12C0C | 21780 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.