Malicious PDF — malware analysis report

Static analysis result for SHA-256 36cef52b478bc480…

MALICIOUS

PDF

1.95 MB Created: 2008-09-24 19:47:56 Authoring application: Adobe (via Notepad)
MD5: 0afa5af0dacd15b0b2717f770ae8e856 SHA-1: 267dc2dac296c4145addfd67723c3b7aacf14cd3 SHA-256: 36cef52b478bc480b47d788bceab57eb8bcaee25971f536bdaaf723f6c5fbb7a
430 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

This PDF file contains multiple critical heuristic firings indicating it is an exploit kit targeting Adobe Reader. Specifically, it leverages CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992 through embedded and obfuscated JavaScript. The JavaScript is further hidden by PDF encryption, requiring JavaScript execution to reveal the exploit stage. The ML classifier also strongly flagged this PDF as malicious. No specific family could be identified, but the exploit chain is clear.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9975

Heuristics 11

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • Multi-CVE Adobe Reader JavaScript exploit kit critical PDF_ADOBE_READER_MULTI_CVE_JS_KIT
    One recovered JavaScript stage contains multiple version-gated Adobe Reader exploit branches. This is stronger evidence than independent API keywords: the PDF is selecting old Reader vulnerabilities by viewer version and running heap-sprayed Acrobat JavaScript exploit paths.
  • Secondary embedded PDF body has suspicious static findings critical POLYGLOT_CHILD_PDF_STATIC_TRIAGE
    A valid PDF body was found at a nonzero offset inside another container and its carved contents matched PDF exploit or lure heuristics. This catches polyglots where the top-level magic routes to ZIP/OLE while a PDF reader or downstream parser opens the hidden PDF payload.
  • Encrypted PDF carries /JavaScript — payload hidden from static analysis high PDF_ENCRYPTED_WITH_JS
    PDF declares /Encrypt and also references an executable trigger (/JavaScript). Document encryption hides the JavaScript body and stream contents from static scanners — combined with auto-execution indicators this is a known evasion pattern used to deliver weaponised JavaScript that the analyst cannot inspect without the decryption key.
  • eval() call high PDF_EVAL
    eval() found — commonly used for obfuscated exploit execution (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 14

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
bcd295e065c9d4e0c785cfa4d2d4112eb1450983b7671955a210a07777b43ec6		 pdf-javascript-stream PDF /JS object 6 at offset 0xC72A 141 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 1 eval/decoder/string-building token(s).
stream_024_off00015194.bin
5774aaaeede8b93fcc4bd405929c26bceb2881775b5e1227f7e1ee589cb2fce7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15194 28892 bytes
stream_051_off00057e83.bin
38ad9bcedc4b7ecf2c917d9b8a47587436534223b90268c77b975ba5392ce469		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x57E83 11284 bytes
stream_110_off000b23e4.bin
cf823ce74d6aa731861cddfc0f703755115db5a9ceac6ea1460f85a65ef31a51		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB23E4 109134 bytes
stream_111_off000bf9ef.bin
f6e53fd3bc01b3dc96b5ecb9e398b5a67010081166e5d7fd9ae75bde58e82472		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xBF9EF 109134 bytes
stream_114_off000d9936.bin
04f7f5c72888d1e44531a3587cc11258dce9989d4dd0f41e594de721ddaa6bf4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD9936 109134 bytes
stream_118_off000fd13b.bin
896ae8cd1119f88dadad8e235dae22e93fba021e3dcc669932d238e0efcbc6e7		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xFD13B 79846 bytes
info_trailer_percent_stage_000.js
50bbea8376f3697dd6ff872e9991c4b74c371c0d357313b36fa75314bddc655f		 deobfuscated-js Info /Trailer percent-placeholder decoded JavaScript (object 5, info object 9) at offset 0xB4EA 2710 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 5 eval/decoder/string-building token(s).
font_00_cff_off00009186.bin
d99a27f730bfb30e46addde2d1c5010f6fd1baf2415f5d19e27b81e0f3dd2912		 pdf-font-stream PDF embedded font (cff) at offset 0x9186 6638 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.42, consistent with packed or encrypted content.
font_01_cff_off0000a7e9.bin
d2fee10ff029cd37a63c094c45b3f6e15e5aa26429a3ebbb785d111598650658		 pdf-font-stream PDF embedded font (cff) at offset 0xA7E9 3888 bytes
font_02_sfnt_off0001ee72.bin
f0e600ffb4e0b3f11c8ebb5dfc1969112b4e5f0be63299b24bd7ca296257470c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EE72 24768 bytes
polyglot_child_pdf_off00002b10.pdf
48680ba6b73a5d720cbdc04abd4138c3e2444508db32c7f3f0bf48ea4baee277		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0x2B10 2036976 bytes
polyglot_child_pdf_off0000b3b4.pdf
1c017a572f37ea4456fefad96b6526177b00a02ffe27e8c1cb2cb13310e0ac2d		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xB3B4 2001996 bytes
polyglot_child_pdf_off0000c9f7.pdf
cca07bdf8bfd0cf08365a4c16add80edfb7706d532d190f2d54e317e8d6e32bd		 polyglot-child-pdf Secondary PDF body inside pdf container at offset 0xC9F7 1996297 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.