PDF malware analysis — malicious · 1fc5fe5ca085fa90

MALICIOUS

PDF

6.4 KB Created: 2010-12-30 24:31:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)

MD5: 88def5079bbf6253e01e9149f5437efa SHA-1: ac2957a628a380584f05765d01bb37841cbb319c SHA-256: 1fc5fe5ca085fa900da542b1eb5694d17b73efb358ced3f57f5f1f3620bc51e6

216 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and triggers an OpenAction, indicating an attempt to execute code upon opening. The presence of a critical heuristic for CVE-2009-0927 (Collab.getIcon) strongly suggests exploitation of this vulnerability. The JavaScript is obfuscated, but the overall pattern points to a malicious PDF designed to exploit a known reader vulnerability.

Heuristics 6

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution.
ClamAV: Pdf.Exploit.CVE_2009_0927-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.CVE_2009_0927-1
OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction — code runs automatically when opened
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.