Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c5fa6b2b3468fc5…

MALICIOUS

PDF

6.2 KB
MD5: 9c406098a4a3b3fdfdfe8c4e4e7e45c3 SHA-1: 362347fd6f046b07644067f9c2a6ab4f35201341 SHA-256: 2c5fa6b2b3468fc5e4a38f58cb1fff7e7059806e428cfc179b9fdbc85221859d
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious File

The PDF file contains embedded JavaScript and triggers a critical heuristic for CVE-2008-2992, indicating it exploits a vulnerability via util.printf. The JavaScript action suggests the execution of malicious code. The benign URLs present do not detract from the malicious nature indicated by the exploit and script execution.

Heuristics 5

  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00000323.bin
cb1ff0b2bdf4831ce6f3ffa9e696fde126febf9257091ca0f80a7d1c447c130d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x323 289 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 long base64-like blob(s).
objstm_0024_00.bin
9611d3ce4c74d5fed167968397032ba2a5da89c2ef8c03adb6529ac4f7cfad47		 pdf-objstm-decoded PDF /ObjStm 24 0 obj (inflated) 331 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.