Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f76561a1fb0321b…

MALICIOUS

PDF

280.4 KB Created: 2008-02-14 17:33:19 -03:00 Authoring application: Acrobat Editor 8.0 (via Adobe Acrobat 8.1.0)
MD5: 28b97585fb0fb68da9b27667f596e975 SHA-1: d0d2c94931f332e361ea00dfeedff8318afc5c94 SHA-256: 2f76561a1fb0321b2f6507ef6f7a052e47e654a8f708b457d25d51120dfc1d2e
180 Risk Score

Malware Insights

The PDF file contains embedded JavaScript that leverages critical vulnerabilities CVE-2009-0927 (Collab.getIcon) and CVE-2008-2992 (util.printf). The JavaScript is obfuscated and uses unescape() calls, indicating an attempt to hide malicious code. This pattern suggests the PDF is designed to exploit these vulnerabilities to download and execute a secondary payload.

Heuristics 7

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (matched in decompressed stream)
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/iX/1.0/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00002125.js
1e830a9c9d8da19d4fff0c05753e83c54c52c73057ab979898a21b6f47e1531c		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2125 8192 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 2 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
font_00_sfnt_off000325be.bin
5d07dc95bee77e71ce3376010d1c7bb22fd65ad1cc61f5d9a05ee6a99dcc4d17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x325BE 5228 bytes
font_01_sfnt_off000330db.bin
e1c608f4bf606e0e29a19a5cdc72109123037ba70edc80bc48aa556804d218b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x330DB 12768 bytes
font_02_sfnt_off00034f5b.bin
954955a7915aab837293401c28c14cf6ea6acddafeea239e3e52c798ec87c254		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34F5B 24876 bytes
font_03_sfnt_off00038b00.bin
977e68e886f94e799d1d82556d6e714ff0339a92a0b368ce2dd71a32885efb35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38B00 10520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.