Malicious PDF — malware analysis report

Static analysis result for SHA-256 3b4d319cbef7426e…

MALICIOUS

PDF

6.4 KB
MD5: d38a6d7801d9eb5c7f3ddfc96200e80d SHA-1: 4682a4e42c9a1315768c69d6b5799a2c5a68fa94 SHA-256: 3b4d319cbef7426efcec067ef4612f9863c4cc834a5a4a839f7e61bfc8a5c4e6
178 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains embedded JavaScript and triggers a critical vulnerability (CVE-2009-0927) related to Collab.getIcon. The presence of JavaScript and the specific exploit indicate an attempt to execute arbitrary code. The ClamAV detection further supports its malicious nature. The embedded JavaScript is likely responsible for downloading and executing a second-stage payload.

Heuristics 6

  • Collab.getIcon — CVE-2009-0927 critical CVE exact CVE_2009_0927
    PDF JavaScript calls Collab.getIcon — CVE-2009-0927 is a stack buffer overflow in Adobe Reader triggered by Collab.getIcon() with a crafted argument. Allows arbitrary code execution. (matched in decompressed stream)
  • ClamAV: Heuristics.PDF.ObfuscatedNameObject critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Heuristics.PDF.ObfuscatedNameObject
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0006_000.js
ef74620994ff5bd264bd5ede0a1a7e62684a5c042bdc6166d6ae69e43fea06c2		 pdf-javascript-stream PDF /JS object 6 at offset 0x1A3 5392 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).

Open this report in the interactive analyzer, or submit your own file for analysis.