Malicious PDF — malware analysis report

Static analysis result for SHA-256 2391b625a90f5395…

MALICIOUS

PDF

1.95 MB
MD5: da114b7fb90d0ea830e110b97e4289f9 SHA-1: 009ddc8f2b330ab557dbaaa1c906c3bb9f77cf1e SHA-256: 2391b625a90f5395fa3a9255afb0a91c6bd24919668438d09a06e143a638d06b
108 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 JavaScript

The PDF sample contains embedded JavaScript and triggers CVE-2007-5659 via the Collab.collectEmailInfo function. This indicates the document is designed to exploit a vulnerability to run arbitrary code. The ML classifier strongly flags this PDF as malicious, and the presence of obfuscated JavaScript streams further supports this assessment. The primary attack vector appears to be leveraging a known PDF vulnerability to execute a malicious script.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0001_000.js
d019ba19e3716e8061cee87ae5126927674972121e587672abadc04f795b6c71		 pdf-javascript-stream PDF /JS object 1 at offset 0xF 63 bytes
javascript_obj0013_001.js
3c9a00c835a3358275dcc16555521a5670fe897077f8687a0ff2e3119b55f396		 pdf-javascript-stream PDF /JS object 13 at offset 0x395 15675 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 long base64-like blob(s).
legacy_pdfkit_stage_000.js
9fe4a8d0a22c334a93c7cfd5016906b7100b512822e24aa07f9e8143510914b5		 deobfuscated-js reverse-string concatenation decoded JavaScript at offset 0x395 2043 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 3 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.