Malicious PDF — malware analysis report

Static analysis result for SHA-256 337fb86226d55322…

MALICIOUS

PDF

398.2 KB Created: 2009-09-17 09:09:59 +08:00 Authoring application: Acrobat Distiller 7.0 (Windows)
MD5: ddfb0b2c01c8547af763925e5f1e1356 SHA-1: ddc70d1680110046be990ee3f53f96e9f597b475 SHA-256: 337fb86226d55322b32801a0fdc19fc66d6bf6e2c4bb6d0f1fe597dd1e3e57df
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 JavaScript T1204.002 Malicious Link

The PDF file contains embedded JavaScript that leverages the 'Collab.getIcon' method, a known vulnerability (CVE-2009-0927) in Adobe Reader. The script is obfuscated but appears designed to download and execute a second-stage payload. The presence of JavaScript actions and embedded JS streams, along with the specific CVE firing, strongly indicates this exploit vector. No specific malware family could be confidently identified.

Heuristics 5

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdfx/1.3/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0017_000.js
7838a86ebe6936a33f5928e35f0e99ac3a44f81bca41932b795651530523acb3		 pdf-javascript-stream PDF /JS object 17 at offset 0x4DA 3130 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
js_property_alias_stage_000.js
bc3bd18bdacad862deb702c1eecd155e4dd5ee6afff989728ce4dd5064ffd322		 deobfuscated-js JavaScript property alias normalized stage at offset 0x4DA 2694 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.