PDF malware analysis — malicious · 23bdc845f24c4962

MALICIOUS

PDF

7.0 KB

MD5: a0c9e23598ad1e47f309c9640bdde46a SHA-1: 2bca9beb60533f353011951cd05d47cfcb0de0ad SHA-256: 23bdc845f24c4962eca65d79024bb3eb0332f17e2a16678e4951c5afa87b6259

238 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains obfuscated JavaScript, including calls to `eval()` and the `Collab.collectEmailInfo` function, which is indicative of the CVE-2007-5659 exploit. This exploit is used to execute embedded JavaScript, which in turn likely downloads and executes a second-stage payload. Several JavaScript files were extracted, and ClamAV detections confirm the presence of malicious JavaScript exploits.

Heuristics 7

Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659

PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION

ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
eval() call high PDF_EVAL

eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj111711_000.js` `d05aa7757a00b08830aeccfee72f84e7119a42cf5938d71f7e3bcce6784849ad`	pdf-javascript-stream	PDF /JS object 111711 at offset 0x18E	3413 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111712_001.js` `13f25f64171c78d7a1adce7912264eb1be66b2d1a324f7a9efb3afdae5bc5a95`	pdf-javascript-stream	PDF /JS object 111712 at offset 0x7CE	12773 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`javascript_obj111713_002.js` `2c92c27b4f29a7ae4d3b2fb38915d3535b8ebdc3804e9d5644f46b0bb1fe40b3`	pdf-javascript-stream	PDF /JS object 111713 at offset 0x17E0	1582 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 1 eval/decoder/string-building token(s). Carved artifact contains 5 long base64-like blob(s).
`legacy_pdfkit_stage_000.js` `9eca9da0aa87075a675357b70617f71066668dd9902e78baf32580c2a4cbb10a`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x7CE	1464 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 3 eval/decoder/string-building token(s).
`legacy_pdfkit_stage_001.js` `6746c696514a09ab42ea162c0b0e18ca3504da17ededc9d348bf61f0609c6119`	deobfuscated-js	multi-marker percent-array decoded JavaScript at offset 0x17E0	87 bytes
`legacy_pdfkit_stage_002.js` `333e264211eca04da1e1da1f279b8794322849b0df399d169605c58909a4755b`	deobfuscated-js	multi-marker percent-array combined decoded JavaScript at offset 0x7CE	3105 bytes
Detection ClamAV: Js.Exploit.Shellcode-18 Obfuscation or payload: likely Carved artifact contains 6 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.