PDF malware analysis — malicious · 3474f1b98141a55c

MALICIOUS

PDF

22.8 KB Created: 2009-05-06 20:45:24 +08:00 Authoring application: DocuCom PDF Core Library

MD5: 569607bf8315d9143fe3f7d424c3fda9 SHA-1: 0b0e3c19648c3f2da932f0f0816cd9625ee4471b SHA-256: 3474f1b98141a55c522123f82bbb2b204924477ef92a3e345b317c09381af652

276 Risk Score

Malware Insights

MITRE ATT&CK

T1059.001 PowerShell T1204.001 Malicious Link

The PDF file contains embedded JavaScript that exploits CVE-2009-0927, a known vulnerability in Adobe Reader. The script uses obfuscation techniques and a property alias stage to achieve code execution. This is further supported by ClamAV detections indicating a malicious PDF exploit. The primary attack vector is likely the exploitation of this vulnerability upon opening the PDF.

Heuristics 8

Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927

PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
ClamAV: Pdf.Exploit.Agent-30026 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Exploit.Agent-30026
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
unescape() call high PDF_UNESCAPE

unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
JavaScript action low PDF_JAVASCRIPT

PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded JS stream low PDF_JS

PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://ns.adobe.com/xap/1.0/
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/xap/1.0/mm/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`javascript_obj0003_000.js` `3a63aa1468610780740c9dc83aeeec5b08cb097e75c7162b2fbf08d5be27c95c`	pdf-javascript-stream	PDF /JS object 3 at offset 0x883	7299 bytes
Detection ClamAV: Pdf.Exploit.Agent-35646 Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).
`javascript_obj0026_001.js` `573408dcb162ae34e76c4ea823b01b9732a4da0c4b12a6a57e7432d370aed2a7`	pdf-javascript-stream	PDF /JS object 26 at offset 0x20D6	14600 bytes
Detection ClamAV: Pdf.Exploit.Agent-35646 Obfuscation or payload: unlikely
`js_property_alias_stage_000.js` `c6f9892f8926ed8b02629061f911cfd182cd82c24686a6ad67c7eb84523e2511`	deobfuscated-js	JavaScript hex-escape property alias normalized stage at offset 0x883	6747 bytes
Detection ClamAV: Pdf.Exploit.Agent-35646 Obfuscation or payload: likely Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.