PDF malware analysis — malicious · 23c8f843d2537e90

MALICIOUS

PDF

4.5 KB Created: 2010-12-30 23:82:00 Authoring application: Scribus 1.3.3.12 (via Scribus PDF Library 1.3.3.12)

MD5: eecb970360e6ec3596cc5ab502251356 SHA-1: f07eb4ae7c8a57ff754c3e74ca23dbab12e40f6d SHA-256: 23c8f843d2537e909f28c34233afcad635d86d8eba2ef8d9af0a1fe99224658d

216 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.002 Malicious File

This PDF file contains embedded JavaScript that utilizes the `unescape()` function and the `util.printf()` method, indicating exploitation of the CVE-2008-2992 vulnerability. The presence of JavaScript actions and embedded JS streams, combined with the critical ClamAV detection for Win.Trojan.Agent-36168, strongly suggests the file is designed to download and execute a secondary malicious payload. The `OpenAction` trigger further facilitates automatic execution upon opening the PDF.

Heuristics 6

util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992

PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
ClamAV: Win.Trojan.Agent-36168 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Agent-36168
OpenAction trigger high PDF_OPENACTION

PDF has an /OpenAction — code runs automatically when opened
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Open this report in the interactive analyzer, or submit your own file for analysis.