MALICIOUS
188
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 JavaScript/JScript
T1204.002 Malicious File
The PDF file contains embedded JavaScript that utilizes the unescape() and String.fromCharCode() functions, indicative of obfuscation. A critical heuristic identified the use of media.newPlayer, which is associated with CVE-2009-4324. The document also contains multiple invisible PDF links, with four specifically identified as payload links pointing to a ZIP archive. This suggests the document's primary purpose is to exploit a vulnerability to download and execute a secondary payload.
Heuristics 9
-
media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
-
Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LUREPDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
-
unescape() call high PDF_UNESCAPEunescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
-
JavaScript action low PDF_JAVASCRIPTPDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
Embedded JS stream low PDF_JSPDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
-
String.fromCharCode low PDF_FROMCHARCODEString.fromCharCode found — used to construct payload strings dynamically. Common in benign JavaScript libraries for codepoint manipulation, so this alone is informational; weaponised use is also caught by the dedicated fromCharCode-stage and exploit-shape rules. (matched inside decoded stream)
-
External URI info PDF_URIPDF contains an external URL action
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://anonym.to/?http://rapidshare.com/files/351111502/PBARG2009-11.pdf
- http://rapidshare.com/files/351048688/PBARG2009-01.pdf
- http://rapidshare.com/files/351050932/PBARG2009-02.pdf
- http://rapidshare.com/files/351344877/PBARG2009-03.zip
- http://rapidshare.com/files/351072386/PBARG2009-04.pdf
- http://rapidshare.com/files/351082573/PBARG2009-05.pdf
- http://rapidshare.com/files/351090471/PBARG2009-06.pdf
- http://rapidshare.com/files/351100398/PBARG2009-07.pdf
- http://rapidshare.com/files/351347305/PBARG2009-08.zip
- http://rapidshare.com/files/351107321/PBARG2009-09.pdf
- http://rapidshare.com/files/351108980/PBARG2009-10.pdf
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
javascript_obj0212_000.jsc4318ccdbb70938f95d55b6fc707764fc52deb8107914026524011464ff0aa7c |
pdf-javascript-stream | PDF /JS object 212 at offset 0x36A2A | 5621 bytes |
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 5 eval/decoder/string-building token(s). Carved artifact contains 2 long base64-like blob(s).
|
|||
font_00_sfnt_off00017974.binde9aaf7694589b251f49290f70c78023588adbd917995f7042253f1b48fb6ff3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x17974 | 43120 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.