Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c2321f7c199c0d1…

MALICIOUS

PDF

60.7 KB Created: 2009-03-13 16:50:38 +08:00 Authoring application: Acrobat Web Capture 8.0
MD5: 65c0b1f2717a3385209cdfdea8c0e007 SHA-1: 204cf17929d26bf8daa3ef15176722b75034fa4c SHA-256: 3c2321f7c199c0d1a3e08f6bbff02e2d0b3d62945dc58bc2a5bae4f92a2b9bab
178 Risk Score

Malware Insights

This PDF file contains embedded JavaScript that leverages the CVE-2009-0658 exploit targeting a heap-spray vulnerability in Adobe Reader's JBIG2Decode filter. The script is designed to decompress and execute malicious code, likely leading to further compromise. The presence of the exploit and the JavaScript action strongly indicate this attack vector.

Heuristics 8

  • Adobe Reader JBIG2Decode heap-spray exploit critical CVE likely CVE_2009_0658
    PDF combines JBIG2Decode image streams with a Reader 9 JavaScript heap-spray stage. This is the in-the-wild Adobe Reader/Acrobat JBIG2Decode exploit shape associated with CVE-2009-0658.
  • JBIG2 + active content high CVE related PDF_JBIG2_ACTIVE_CONTENT
    JBIG2Decode appears with JavaScript/XFA/RichMedia — a related indicator for JBIG2 parser-exploit families including CVE-2021-30860 and CVE-2009-0658, but not a unique CVE fingerprint.
  • unescape() call high PDF_UNESCAPE
    unescape() found — often used to decode shellcode in PDF JS exploits (matched inside decoded stream)
  • JBIG2Decode filter medium PDF_JBIG2
    JBIG2 image decoder present — historically used in zero-click exploits
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0027_000.js
266e00ca3d7ec0109b0318dd8d869c90daf6a2ec1208ffd2c74bb2ce91900b1d		 pdf-javascript-stream PDF /JS object 27 at offset 0x6BCC 1808 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 4 eval/decoder/string-building token(s).
stream_001_off00002374.bin
6a71966cad617bfb05c2fc57e09517130f7abf80fb7d2cd8d6f9a72dd0ff8cc6		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x2374 8958 bytes
jbig2_00_off000055da.bin
ae1845b1fbba1550a6b86762a4d9f852e9a434d4c390ad69886d9054b418d5ab		 pdf-jbig2-stream PDF JBIG2 stream at offset 0x55DA 4945 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 7.73, consistent with packed or encrypted content.

Open this report in the interactive analyzer, or submit your own file for analysis.