PDF malware analysis — malicious · 277ddb842c99330b

MALICIOUS

PDF

185.2 KB

MD5: fc23b244194c9f5be2ac126d080eba32 SHA-1: 4975e031f197cd0221908fc8e73b8ce20539be70 SHA-256: 277ddb842c99330b78de3dd4c681506dddb7f782546e3349e92db1eb05f8e204

270 Risk Score

Malware Insights

MITRE ATT&CK

T1204.002 Malicious File Execution: Malicious PDF T1059.001 Command and Scripting Interpreter: JavaScript

This PDF exploits CVE-2009-0658, a heap-spray vulnerability in Adobe Reader, using embedded JavaScript. The JavaScript is obfuscated and likely responsible for downloading and executing a second-stage payload. The presence of a secondary embedded PDF with similar suspicious findings further indicates a multi-stage attack. The primary exploit identified is CVE-2009-0658.

Machine Learning

Nyx PDF Classifier malicious score 0.6728

Heuristics 10

Adobe Reader JBIG2Decode heap-spray exploit critical CVE likely CVE_2009_0658

PDF combines JBIG2Decode image streams with a Reader 9 JavaScript heap-spray stage. This is the in-the-wild Adobe Reader/Acrobat JBIG2Decode exploit shape associated with CVE-2009-0658.
JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT

JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE

A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
JBIG2Decode filter medium PDF_JBIG2

JBIG2 image decoder present — historically used in zero-click exploits
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/pdf/1.3/

Extracted artifacts 6

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_002_off00000310.js` `a0c0de2e1bdb6b678dbe7cf719fb7d9b13ab2bc07f8552e835bea2054a38c5fd`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x310	1809 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
`stream_005_off00002a45.bin` `6a71966cad617bfb05c2fc57e09517130f7abf80fb7d2cd8d6f9a72dd0ff8cc6`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x2A45	8958 bytes
`objstm_0029_00.bin` `f8eb65864fd50b29cfa71dd142b8bbf6494c65d9fbb58bcb2b7b2c3ac3227298`	pdf-objstm-decoded	PDF /ObjStm 29 0 obj (inflated)	88 bytes
`jbig2_00_off000006b7.bin` `05e62dd154e4c23a9ea6419bc55207b0ec9a101988fb14c2ca6b726751351011`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x6B7	4945 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.93, consistent with packed or encrypted content.
`jbig2_01_off00028cc3.bin` `4fc5fd9bdd46c763dfaa373b14504131baf03f9314d69c0f1a6c1bf156c9676f`	pdf-jbig2-stream	PDF JBIG2 stream at offset 0x28CC3	4945 bytes
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact entropy is 7.96, consistent with packed or encrypted content.
`polyglot_child_pdf_off0002860c.pdf` `3302a99a86506e0bf6968dbafb05b5165d2c47783dd9b721b8272b33116045e1`	polyglot-child-pdf	Secondary PDF body inside pdf container at offset 0x2860C	24210 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.