Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a445b7a47786d25…

MALICIOUS

PDF

1.9 KB
MD5: 72d44001848f61bba97315c167e76dc5 SHA-1: c4bf0b227c39bbcc90964d94ccee872a5ca9a1b2 SHA-256: 2a445b7a47786d253eec985d66a0d07b17d319c7496a6476eb3bd183194fd606
76 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious Attachment T1059.001 Command and Scripting Interpreter: JavaScript

The PDF file contains embedded JavaScript, indicated by the PDF_JAVASCRIPT and PDF_JS heuristics. The critical CVE_2008_2992 heuristic firing suggests the document exploits a vulnerability in the PDF reader to execute this script. The script's purpose is to leverage the 'util.printf' function, a known indicator for this specific exploit, likely to download and execute a secondary payload. The DOC BODY content appears to be obfuscated script fragments, further supporting the malicious intent.

Heuristics 3

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
1e738c881ef714d1d6c5327f3e510b31b0b179512b78e83193617a5848457c71		 pdf-javascript-stream PDF /JS object 6 at offset 0x138 1315 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.