Malicious PDF — malware analysis report

Static analysis result for SHA-256 27eaeb6c864209c2…

MALICIOUS

PDF

464.7 KB Created: 2009-12-16 13:36:07 UTC Authoring application: PScript5.dll Version 5.2.2 (via GPL Ghostscript 8.54)
MD5: 9ad159b00ca0e7f51168456afa3187d0 SHA-1: b36ad25a47f8ed64b38a71a9f14a73fa2a4c33c9 SHA-256: 27eaeb6c864209c2e54d26e496628ab2d94e44ce0d20ef998bef49a225ff68ec
168 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF contains embedded JavaScript and 3D content (U3D/PRC) which are known vectors for exploiting vulnerabilities in Adobe Reader. Specifically, the 'unescape()' call and the U3D/3D content indicators strongly suggest an exploit targeting Adobe Reader 3D parser vulnerabilities. The ML classifier also flagged this PDF as malicious with high confidence. No specific malware family could be identified, but the exploit pattern is consistent with a downloader or initial access payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9703

Heuristics 7

  • U3D/3D content in PDF — Adobe Reader 3D parser CVE-family indicator high CVE related PDF_U3D_CVE_RELATED
    PDF contains U3D (Universal 3D) or 3D annotation content — CVE-2011-2462 and CVE-2009-3953 are critical vulnerabilities in Adobe Reader's U3D processing that allow arbitrary code execution. U3D content in PDFs is extremely rare in normal documents.
  • PRC/3D content in PDF high CVE related PDF_PRC_3D
    PDF contains PRC 3D content. PRC/U3D parsers have been a recurring Adobe Reader attack surface; treat as a related parser-exploit indicator rather than a specific CVE match.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000a68.bin
235960dedac8e1ef9b5418470081c96d57ba19e69f30b7ad28bf8d01351d6c25		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA68 913425 bytes
stream_012_off0003ae9d.bin
3e7b2f815bc016210c8fcf4e418c90962617a749027f32ce360ae5e422d7a7e3		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x3AE9D 1884258 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
prc_00_off0001e92c.bin
a1024baddbc120e56a3a76a9e494be970116c4b2a1883fbd5aff00aa93bf8884		 pdf-3d-stream PDF PRC 3D stream at offset 0x1E92C 115386 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.99, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.