Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d72d4197ab192b9…

MALICIOUS

PDF

983.0 KB Created: 2010-01-06 11:43:37 +08:00
MD5: 3d6d41f8d2a386ccdb7e0a74cabba8dc SHA-1: 217d69ce9a90717c9dd217439a73a84038689a39 SHA-256: 3d72d4197ab192b9452552483f8f3cf96104ad2de877b4810152431a1b99b64b
86 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File: User Execution: Malicious File T1566.002 Phishing: Spearphishing Attachment T1059.001 Command and Scripting Interpreter: PowerShell

The PDF document contains embedded JavaScript and triggers a critical heuristic for CVE-2009-4324 (media.newPlayer). This indicates the file is designed to exploit this vulnerability. The presence of JavaScript actions and embedded JS streams further supports the malicious intent. The document itself appears to be image-only, suggesting a lure to trick the user into interacting with the malicious content.

Heuristics 6

  • media.newPlayer — CVE-2009-4324 critical CVE exact CVE_2009_4324
    PDF JavaScript calls media.newPlayer — CVE-2009-4324 is a use-after-free in Adobe Reader's multimedia plugin triggered by media.newPlayer(). Actively exploited as a zero-day in December 2009. (matched in decompressed stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • PDF paints image(s) but contains no text operators info PDF_IMAGE_ONLY_LURE
    PDF has 2 image XObject(s) and the content stream contains no text-emitting operators (BT/ET, Tj, TJ, ', ") in either raw bytes or decompressed streams — this is the screenshot-as-PDF pattern used to bypass text-based scanners and to deliver instructions purely through rendered pixels. It is informational unless paired with invisible links or risky URI context.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
javascript_obj0043_000.js
1a5d85c21cce1724fe86b59506f1a02a0438aae5349a6a29a6c984780390a34f		 pdf-javascript-stream PDF /JS object 43 at offset 0xF5413 249 bytes
javascript_obj0045_001.js
c3498727efb51d96cec09f2b966f26c99900a481ace896b31671835f19da3085		 pdf-javascript-stream PDF /JS object 45 at offset 0xF55E2 119 bytes
javascript_obj0050_003.js
667817e8c69082751b295c22ee07fbb34b4c8fdb1dc985dd2fba872628241f39		 pdf-javascript-stream PDF /JS object 50 at offset 0xF572E 779 bytes
objstm_0051_00.bin
1d28b5aa5fb3cfa4e814510749982f5657dff41d85325033f6756f903afd0417		 pdf-objstm-decoded PDF /ObjStm 51 0 obj (inflated) 48 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.