Malicious PDF — malware analysis report

Static analysis result for SHA-256 21e0e063d9bf51a7…

MALICIOUS

PDF

17.0 KB Created: 2010-02-28 13:12:29 +03:00 Authoring application: Acrobat Editor 9.0 (via Adobe Acrobat 9.3.1)
MD5: db2bdff69967ca07726dfac4393416d5 SHA-1: d6211e51e4daf48b73fe5f64b3323b1fb2eb45fb SHA-256: 21e0e063d9bf51a7f60a7cc1a2c8fd266d0250cd13128ae72ec7b623e17a4d25
108 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript/JScript T1204.001 Malicious Link

The PDF file contains a critical heuristic firing for CVE-2007-5659, indicating the exploitation of a vulnerability related to the Collab.collectEmailInfo method. Additionally, a JavaScript action was detected, which is often used to trigger exploits or download further malicious content. The presence of these elements strongly suggests an attack pattern focused on exploiting this specific PDF vulnerability.

Heuristics 4

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (matched in decompressed stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/AcrobatAdhocWorkflow/1.0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00003627.bin
a74cff2e97d75eee840b97e7ee18ae4e4b66072094842ded2d4741d0c7f90afc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3627 4150 bytes
objstm_0023_00.bin
c21b1bcd8703d86c385c04022cf44326356b67f00bfdb5117c275dc123fde9fa		 pdf-objstm-decoded PDF /ObjStm 23 0 obj (inflated) 279 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.