Malicious PDF — malware analysis report

Static analysis result for SHA-256 374558d7f64c39a9…

MALICIOUS

PDF

584.4 KB
MD5: 8cbeb6b882a7e4c9e9acfce795004280 SHA-1: 7fea4d1d2552a501cdfb80e7293554c8facf2c39 SHA-256: 374558d7f64c39a9cec8e6e6100397a7a0eb3994967260d162fdae1f3f847b0a
408 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains multiple critical heuristic firings indicating exploitation of known PDF vulnerabilities, specifically CVE-2009-4324, CVE-2009-0927, CVE-2007-5659, and CVE-2008-2992. These vulnerabilities are leveraged to execute embedded JavaScript. The presence of JavaScript actions and embedded JS streams, along with ClamAV detections of 'Pdf.Dropper.Agent-7249145-0' and an extracted artifact 'Pdf.Exploit.Agent-35646', strongly suggests this PDF is a dropper designed to download and execute further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8316

Heuristics 9

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (identified after JavaScript deobfuscation)
  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (identified after JavaScript deobfuscation)
  • Collab.collectEmailInfo — CVE-2007-5659 critical CVE exact CVE_2007_5659
    PDF JavaScript calls Collab.collectEmailInfo — CVE-2007-5659 is a buffer overflow in Adobe Reader triggered by a long argument or heap-sprayed message field passed to Collab.collectEmailInfo(). Part of a series of Acrobat JS API exploits. (identified after JavaScript deobfuscation)
  • util.printf — CVE-2008-2992 critical CVE exact CVE_2008_2992
    PDF JavaScript calls util.printf() — CVE-2008-2992 is a stack buffer overflow in Adobe Reader triggered by a long format-specifier argument. Widely exploited in the wild after disclosure. (identified after JavaScript deobfuscation)
  • ClamAV: Pdf.Dropper.Agent-7249145-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7249145-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 18

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0307_000.js
3eb94a1237847c2fd0f07ee9e5f75fb6496c9d036a1c43a4542506e91250a906		 pdf-javascript-stream PDF /JS object 307 at offset 0x8F1D4 730 bytes
info_stride_js_000.js
1905ddfdf05f4c66604a8d45e0eeb411ccad1e5852ac86087ca733412bbc2eb8		 deobfuscated-js PDF /Info fields via stride 6 4578 bytes
Detection
ClamAV: Pdf.Exploit.Agent-35646
Obfuscation or payload: likely
Carved artifact contains 12 eval/decoder/string-building token(s). Carved artifact contains 1 long base64-like blob(s).
icc_00_off00014dc3.icc
2b3aa1645779a9e634744faf9b01e9102b0c9b88fd6deced7934df86b949af7e		 pdf-icc-profile PDF ICC profile at offset 0x14DC3 3144 bytes
font_00_cff_off0000ca09.bin
38f4ddd32e736897982ced0858b49da07a104e846d0946b9789f4ef370f99eb2		 pdf-font-stream PDF embedded font (cff) at offset 0xCA09 357 bytes
font_01_cff_off0000ceb2.bin
2789af23995f8af33b2dae091e9b962494e0b8b0e898fada623820ee9686b3ca		 pdf-font-stream PDF embedded font (cff) at offset 0xCEB2 499 bytes
font_02_cff_off0000d3df.bin
755b31802bfcbe5da85fa3b6417005821fa046390579475e59a1b7e221fd17f2		 pdf-font-stream PDF embedded font (cff) at offset 0xD3DF 2550 bytes
font_03_cff_off0000e12d.bin
eb7fc9a0f6b5c973d758c18668889ef5241421e8108bf894a9400ecd0930c40c		 pdf-font-stream PDF embedded font (cff) at offset 0xE12D 3369 bytes
font_04_cff_off0000f0d6.bin
ce12ce1ce9ee146def1a9a0aa879316c8283c74b0dab40de60412666b768231d		 pdf-font-stream PDF embedded font (cff) at offset 0xF0D6 2951 bytes
font_05_cff_off0000ff0b.bin
650743b0083f4117eafe6d934f210cd07b94d118b25ed99f041916d1b6f42ac7		 pdf-font-stream PDF embedded font (cff) at offset 0xFF0B 5979 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.40, consistent with packed or encrypted content.
font_06_cff_off0001178b.bin
91487fd16b17d83908b1ba219ae597731b7158e968667787a056b1d4df0de59a		 pdf-font-stream PDF embedded font (cff) at offset 0x1178B 1949 bytes
font_07_cff_off0001239e.bin
cf4944c56c01f4a65c36b5010c12128ca3ddbe0e6806e8b147a7b04453bfa751		 pdf-font-stream PDF embedded font (cff) at offset 0x1239E 6612 bytes
font_08_cff_off00013fbf.bin
c5675bd2f2b586cbf48ee24f95e1cf91eec1b4928c28c92220efce9ec4db3e29		 pdf-font-stream PDF embedded font (cff) at offset 0x13FBF 3996 bytes
font_09_sfnt_off00017644.bin
2722878b19761e7a433e1ca6f32e7f9fe9cccce4136877b3beb9040f23bd4b18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17644 23432 bytes
font_10_sfnt_off0001ac1b.bin
80383e85181b7288bd3f68d71356b7e2ef2e1f0ba00d93e81908469c104a18d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC1B 52108 bytes
font_11_sfnt_off00023303.bin
336a7a084a76c025a84d5a8cbd6080db9a267cde0e24fe672acabed56b19aa8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23303 48764 bytes
font_12_cff_off0008754b.bin
b7acc2e77938f52ea0e0e99ad276600cacf4c9a68f9966b0cff658984fc5fdfe		 pdf-font-stream PDF embedded font (cff) at offset 0x8754B 1390 bytes
font_16_cff_off0008c3af.bin
498107d4b463cdfaabb7ecb0de303a1fd3753cd0475826d8151726b62a86cbb1		 pdf-font-stream PDF embedded font (cff) at offset 0x8C3AF 2026 bytes
font_17_cff_off0008ced6.bin
6b20e84459271e0cdfae9863860320d5b0fe24a40f52c5aa56fd600bf142e820		 pdf-font-stream PDF embedded font (cff) at offset 0x8CED6 1370 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.